Kimwolf Android Botnet Compromises 1.8 Million Devices for DDoS and Proxy Attacks
The Kimwolf botnet has infected approximately 1.8 million Android-based devices worldwide, including smart TVs, set-top boxes, and tablets, making it one of the largest Android botnets identified to date. Security researchers from Xlab Qianxin and other organizations discovered that Kimwolf leverages advanced evasion techniques such as DNS over TLS and elliptic-curve digital signatures to bypass detection and secure command verification. The malware is distributed globally, with the highest infection rates in Brazil, India, and the United States, and is capable of launching destructive cyberattacks at scale due to its robust network infrastructure.
Kimwolf is compiled using the Android NDK and provides attackers with a range of capabilities, including DDoS attacks, proxy forwarding, reverse shell access, and file management. The botnet has issued over 1.7 billion DDoS commands in a three-day period and has demonstrated resilience by shifting to Ethereum Name Service (ENS) for its command-and-control infrastructure after repeated domain takedowns. The infection mechanism involves an APK that extracts a native binary payload, ensuring persistence and single-instance execution on each device. The exact propagation method remains unclear, but the botnet's rapid evolution and global reach pose a significant threat to Android device security.
Related Entities
Organizations
Sources
Related Stories
Kimwolf Botnet Infects Millions of Android TV Boxes and IoT Devices
The Kimwolf botnet has rapidly infected over 1.8 million Android-based devices worldwide, with security researchers warning that the true number may exceed 2 million. The malware primarily targets Android TV boxes, digital photo frames, and other IoT devices, many of which are distributed through major online retailers and often ship with weak security controls or pre-installed malicious software. Kimwolf leverages advanced techniques such as DNS-over-TLS, blockchain-based command and control via Ethereum Name Service (ENS), and residential proxy networks to evade detection and takedown efforts. The botnet enables attackers to launch high-volume DDoS attacks, monetize proxy bandwidth, and conduct lateral movement within local networks, posing a significant threat to both enterprise and consumer environments. Security experts have identified that two-thirds of Kimwolf infections are Android TV boxes lacking basic authentication, making them especially vulnerable. The operators behind Kimwolf, previously linked to the Aisuru botnet, are known for their technical sophistication and rapid adaptation to takedown attempts. Their monetization strategies include ad fraud, DDoS-for-hire services, and the resale of residential proxy bandwidth. The malware often spreads through bundled mobile apps and games, exploiting the global supply chain of low-cost Android devices. Organizations and individuals are urged to identify, isolate, and remediate infected devices to prevent further exploitation and participation in criminal infrastructure.
2 months ago
Kimwolf Botnet Abuse of Residential Proxies to Infect Devices Behind Routers
Security researchers reported explosive growth of the **Kimwolf** botnet to **2+ million infected devices** globally, with heavy concentrations including Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. Synthient assessed that roughly **two-thirds of infections are insecure Android TV boxes**, and described Kimwolf’s primary impact as large-scale abuse traffic (ad fraud, account takeover attempts, scraping) and **high-capacity DDoS** capable of disrupting major websites for extended periods. A key concern is Kimwolf’s propagation method: leveraging **residential proxy networks** to effectively tunnel “back” into home/SMB networks via proxy endpoints and then infect additional devices that users assume are protected behind NAT/firewalls and consumer routers. KrebsOnSecurity further tied operational activity to the botnet controller, a threat actor using the handle **“Dort,”** who allegedly retaliated against a vulnerability discloser and the journalist with **DDoS, doxing, email flooding**, and an apparent **SWATing** incident. Open-source and commercial intelligence cited in the reporting linked “Dort” to historical aliases (e.g., **CPacket**, **M1ce**) and to accounts on cybercrime forums, and noted prior involvement in enabling abuse tooling (e.g., CAPTCHA-bypass code and temporary email services) and presence in communities associated with cybercrime groups (including references to **LAPSUS$** chat activity).
2 weeks ago
Lumen Black Lotus Labs Disrupts AISURU/Kimwolf Botnet Infrastructure After 2M Android TV Infections
**Lumen Technologies’ Black Lotus Labs** reported disrupting the **AISURU/Kimwolf** botnet ecosystem by **null-routing/dropping traffic to more than 550 command-and-control (C2) nodes and IPs** linked to the botnets’ backend infrastructure since early October 2025. The operation targeted two closely related, financially motivated botnets—**AISURU** and its Android-focused counterpart **Kimwolf**—that have become major sources of **DDoS activity** and **residential proxy abuse**, with Kimwolf drawing attention after a related domain briefly surged to the top of **Cloudflare’s global domain rankings** before being removed from the list. Researchers assessed Kimwolf as having compromised **over 2 million devices**, largely **unofficial/unsanctioned Android TV streaming boxes**, leveraging exposed **Android Debug Bridge (ADB)** services and tunneling through residential proxy networks to expand access and maintain control. Reporting also described Kimwolf’s use of proxy monetization (including attempts to offload proxy bandwidth for upfront cash) and noted that the operators reacted to disruption efforts with provocative messaging embedded in DDoS payloads; observed DDoS patterns were often **short bursts (1–2 minutes)** but sometimes extended for hours, with gaming services (e.g., *Minecraft*) cited as a common target category.
2 months ago