Snow

Snow is identified in reporting as a nickname/handle of an alleged botmaster involved in operating the Aisuru/Kimwolf botnet ecosystem. The Kimwolf botnet is described as mass-compromising unofficial/unsanctioned Android TV streaming boxes at scale (reported as >2 million infected devices) and then coercing infected devices to conduct DDoS attacks and relay abusive/malicious traffic as “residential proxy” exit nodes. XLab reported “definitive evidence” linking Kimwolf to the earlier Aisuru botnet via shared infrastructure and code evolution, including observation of both strains being distributed from the same IP (93.95.112[.]59). The operation is also described as leveraging proxy-related tooling and services (including installation of ByteConnect/Plainproxies SDK and involvement of Maskify in selling access to Kimwolf proxies), with observed downstream activity including credential-stuffing traffic when connecting to ByteConnect’s SDK. After public reporting, the operators allegedly retaliated by deleting Discord history, doxing a researcher (Benjamin Brundage of Synthient), and launching DDoS attacks against Synthient. The operators reportedly adopted Ethereum Name Service (ENS) text records as a resilient C2 discovery mechanism by updating ENS records with new control-server IPs and also used ENS to post taunting/doxing messages. Another alleged controller named alongside Snow is “Dort” (suggested to be associated with a Discord username “D”); a source (“Forky”) claimed Dort (a resident of Canada) and Snow were among those controlling Aisuru/Kimwolf.