Kimwolf

KimWolf is a cybercriminal botnet operation and Android-focused variant/splinter of Aisuru that emerged in 2025. It is widely described as one of the largest Android botnets, with reporting that it infected more than 2 million Android-based devices globally, including Android TV boxes, smart TVs, tablets, digital photo frames, and other low-cost or unofficial streaming devices. Multiple sources describe it as linked to or grown from Aisuru, and some reporting states KimWolf and Aisuru were likely operated by the same group. Known aliases in the provided content include kimwolf and kimwolf_operators. The operation is associated with large-scale DDoS activity and attack-for-rent services. Reporting in the provided content attributes roughly 25,000 attack commands to KimWolf and describes it as capable of record-setting attacks, including a 31.4 Tbps attack in December 2025 against Cloudflare, likely with assistance from Aisuru. The botnet is also described as monetizing access through proxy services and residential proxy resale, with administrators selling DDoS and proxy capabilities on cybercrime forums. KimWolf primarily targets insecure Android-based consumer devices, especially devices shipped with Android debugging enabled by default, preinstalled exploitable firmware, or malware present before sale. The content states it also abused residential proxy networks to reach internal network addresses and scan for exposed ADB services, including ports 5555, 5858, 12108, and 3222, and delivered payloads via shell scripts piped through netcat or telnet. Reporting further states KimWolf could infect devices traditionally hidden behind firewalls and use compromised Android TV devices to pivot into local networks and infect additional devices. The botnet’s command-and-control and resilience mechanisms include use of the ENS domain pawsatyou[.]eth and an ENS contract for resilient C2. Additional infrastructure mentioned in the content includes the previously used domain 14emeliaterracewestroxburyma02132[.]su and downloader IPs 93.95.112.50-59 associated with Resi Rack LLC. The content also states KimWolf leveraged residential proxies and a monetization chain involving Resi Rack LLC, IPIDEA, and the ByteConnect SDK, and that IPIDEA proxy services were used by KimWolf. Operationally, the content describes KimWolf as a technically advanced cybercriminal group characterized by rapid adaptation to takedowns, stealth, persistence, and rapid rebuilding of infrastructure. It has been described as using Mirai-style DDoS functionality while heavily emphasizing proxying; one source in the content states 96.5% of bot commands were proxy-related. The botnet has also been described as being used for ad fraud, account takeovers, and web scraping. The provided content references operators/admins using the aliases "Dort" and "Snow," and one report ties KimWolf administrators to British Columbia and Quebec in Canada and Hanover in Germany. Another cited source describes the actor as allegedly Russia-based, but this is not consistently supported across the content. The content also notes an international law-enforcement takedown in March 2026 targeting the command-and-control infrastructure of KimWolf, Aisuru, JackSkid, and Mossad.