The Kimwolf botnet has drawn intense scrutiny after researchers at QiAnXin XLab reported that it had infected more than 1.8 million Android-based devices. The compromised army includes smart TVs, set-top boxes, and tablets, all of which are now being leveraged to launch attacks against remote resources. The scale of activity proved staggering: over just three days, the botnet issued 1.7 billion commands to carry out DDoS attacks. During the same period, one of the domain names used for command and control surged to the top of Cloudflare’s list of most-requested domains, surpassing even Google.
The highest concentration of infections has been recorded in Brazil, India, the United States, Argentina, South Africa, and the Philippines. Affected models include SuperBOX, P200, X96Q, various SmartTV lines, MX10, and others. The primary targets are devices connected to home networks. While the exact infection vector has yet to be identified, it is known that the botnet employs proxy redirection, backdoor access, and remote file management. This not only enables large-scale attacks but also allows operators to monetize traffic by turning hijacked devices into nodes within an anonymous proxy network.
Kimwolf first came to light in late October, when analysts received a malware sample from a trusted partner. Since then, eight additional variants have been identified. In December, researchers observed at least three successful takedown attempts against the botnet’s command servers. In response, the operators migrated to Ethereum Name Service to harden their infrastructure, encrypting server IP addresses and using smart contracts to retrieve them covertly. Secure communication is maintained through DNS-over-TLS and other encryption techniques.
Analysis shows that more than 96 percent of all commands sent to infected devices are related to providing proxy services rather than launching direct DDoS attacks. Nevertheless, the botnet supports thirteen distinct attack methods across UDP, TCP, and ICMP protocols, with targets located in the United States, China, France, Germany, and Canada.
Additional intrigue surrounds Kimwolf’s apparent ties to another botnet, AISURU. According to investigators, both malware families initially spread via the same scripts and even shared a signing certificate. In December, a script discovered on one update server contained links to both Kimwolf and AISURU, reinforcing the conclusion that the two networks are operated by the same criminal group.
The malware’s operating logic remains relatively straightforward: once executed, it ensures no duplicate instances are running, decrypts the address of its command server, connects, and awaits instructions. Recent versions add the ability to retrieve IP addresses via Ethereum smart contract data, further reducing the botnet’s susceptibility to disruption.
Today’s cyber threats are increasingly emanating not from compromised routers or IP cameras, as in the era of Mirai, but from televisions and set-top boxes. Kimwolf is merely one representative of this new generation of botnets—capable of harnessing millions of devices while slipping past traditional defensive measures.