Lumen Black Lotus Labs Disrupts AISURU/Kimwolf Botnet Infrastructure After 2M Android TV Infections
Lumen Technologies’ Black Lotus Labs reported disrupting the AISURU/Kimwolf botnet ecosystem by null-routing/dropping traffic to more than 550 command-and-control (C2) nodes and IPs linked to the botnets’ backend infrastructure since early October 2025. The operation targeted two closely related, financially motivated botnets—AISURU and its Android-focused counterpart Kimwolf—that have become major sources of DDoS activity and residential proxy abuse, with Kimwolf drawing attention after a related domain briefly surged to the top of Cloudflare’s global domain rankings before being removed from the list.
Researchers assessed Kimwolf as having compromised over 2 million devices, largely unofficial/unsanctioned Android TV streaming boxes, leveraging exposed Android Debug Bridge (ADB) services and tunneling through residential proxy networks to expand access and maintain control. Reporting also described Kimwolf’s use of proxy monetization (including attempts to offload proxy bandwidth for upfront cash) and noted that the operators reacted to disruption efforts with provocative messaging embedded in DDoS payloads; observed DDoS patterns were often short bursts (1–2 minutes) but sometimes extended for hours, with gaming services (e.g., Minecraft) cited as a common target category.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Kimwolf Botnet Infects Millions of Android TV Boxes and IoT Devices
The Kimwolf botnet has rapidly infected over 1.8 million Android-based devices worldwide, with security researchers warning that the true number may exceed 2 million. The malware primarily targets Android TV boxes, digital photo frames, and other IoT devices, many of which are distributed through major online retailers and often ship with weak security controls or pre-installed malicious software. Kimwolf leverages advanced techniques such as DNS-over-TLS, blockchain-based command and control via Ethereum Name Service (ENS), and residential proxy networks to evade detection and takedown efforts. The botnet enables attackers to launch high-volume DDoS attacks, monetize proxy bandwidth, and conduct lateral movement within local networks, posing a significant threat to both enterprise and consumer environments. Security experts have identified that two-thirds of Kimwolf infections are Android TV boxes lacking basic authentication, making them especially vulnerable. The operators behind Kimwolf, previously linked to the Aisuru botnet, are known for their technical sophistication and rapid adaptation to takedown attempts. Their monetization strategies include ad fraud, DDoS-for-hire services, and the resale of residential proxy bandwidth. The malware often spreads through bundled mobile apps and games, exploiting the global supply chain of low-cost Android devices. Organizations and individuals are urged to identify, isolate, and remediate infected devices to prevent further exploitation and participation in criminal infrastructure.
2 months ago
Kimwolf Botnet Abuse of Residential Proxies to Infect Devices Behind Routers
Security researchers reported explosive growth of the **Kimwolf** botnet to **2+ million infected devices** globally, with heavy concentrations including Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. Synthient assessed that roughly **two-thirds of infections are insecure Android TV boxes**, and described Kimwolf’s primary impact as large-scale abuse traffic (ad fraud, account takeover attempts, scraping) and **high-capacity DDoS** capable of disrupting major websites for extended periods. A key concern is Kimwolf’s propagation method: leveraging **residential proxy networks** to effectively tunnel “back” into home/SMB networks via proxy endpoints and then infect additional devices that users assume are protected behind NAT/firewalls and consumer routers. KrebsOnSecurity further tied operational activity to the botnet controller, a threat actor using the handle **“Dort,”** who allegedly retaliated against a vulnerability discloser and the journalist with **DDoS, doxing, email flooding**, and an apparent **SWATing** incident. Open-source and commercial intelligence cited in the reporting linked “Dort” to historical aliases (e.g., **CPacket**, **M1ce**) and to accounts on cybercrime forums, and noted prior involvement in enabling abuse tooling (e.g., CAPTCHA-bypass code and temporary email services) and presence in communities associated with cybercrime groups (including references to **LAPSUS$** chat activity).
2 weeks ago
Kimwolf IoT Botnet Disrupts I2P While ISPs Sinkhole Its C2 Infrastructure
The **Kimwolf** “Internet of Things” botnet has been linked to major disruption of the anonymity network **I2P (Invisible Internet Project)** after botnet operators began using I2P to help evade takedown efforts against their command-and-control (C2) servers. I2P users reported that tens of thousands of new “routers” suddenly flooded the network, many unable to pass traffic, overwhelming I2P to the point that legitimate users could not connect; developers and users described extreme connection counts and a sharp drop in successful connections consistent with a large-scale availability attack. Separately, a major U.S. ISP reported actively **sinkholing/blocking traffic to hundreds of botnet C2 servers** associated with Kimwolf (and the related **Aisuru** botnet), citing more than **550** identified C2 endpoints over several months. Reporting attributes Kimwolf’s growth to at least **~2 million infected devices**, with operators leveraging compromised **Android TV set-top boxes** and scanning for exposed **Android Debug Bridge (ADB)** services to expand the botnet and monetize access via **residential proxy** infrastructure that makes malicious traffic appear to originate from consumer networks.
1 months ago