Massive Android botnet Kimwolf infects millions, strikes with DDoS

The Kimwolf Android botnet has infected 1.8M+ devices, launching massive DDoS attacks and boosting its C&C domain, says XLab.

Kimwolf is a newly discovered Android botnet linked to the Aisuru botnet that has infected over 1.8 million devices and issued more than 1.7 billion DDoS attack commands, according to XLab.

On October 24, 2025, XLab researchers received a new botnet sample with a standout C2 domain, 14emeliaterracewestroxburyma02132[.]su. Within a week, its popularity soared, even surpassing Google in Cloudflare’s global rankings. This massive-scale botnet, using the wolfSSL library, was named Kimwolf.

The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions. It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures. Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.

Kimwolf follows a naming pattern of “niggabox + v[number]”; versions v4 and v5 have been tracked. By taking over one C2 domain, researchers observed around 2.7 million IPs interacting over three days, indicating a likely infection scale exceeding 1.8 million devices. Its infrastructure spans multiple C2s, global time zones, and versions, making it hard to estimate the total number of infections.

The botnet borrows the code from the Aisuru family, however, operators redesigned it to evade detection. Its primary function is traffic proxying, though it can execute massive DDoS attacks, as seen in a three-day period issuing 1.7 billion commands between November 19 and 22.

Kimwolf’s C2 domains have been taken down multiple times, prompting the adoption of ENS blockchain domains for resilience. Detection remains difficult due to covert techniques like DoT, low VirusTotal visibility, and rapid evolution. Researchers stress the importance of sharing intelligence to counter this large-scale, rapidly evolving threat.

On December 1, researchers took over a Kimwolf C2 domain, revealing over 3.66 million cumulative infected IPs, peaking at ~1.83 million on December 4. Subsequent takedowns on other C2s forced operators to reconfigure, reducing daily active nodes to ~200,000. Observations and comparisons with Aisuru suggest Kimwolf’s DDoS capacity nears 30 Tbps. High-profile attacks on November 23 and December 9 confirmed its involvement. Kimwolf and Aisuru share infection scripts and likely operate under the same group.

The researchers observed infected devices in 222 countries and regions globally. The top 15 countries are analyzed as: Brazil 14.63%, India 12.71%, USA 9.58%, Argentina 7.19%, South Africa 3.85%, Philippines 3.58%, Mexico 3.07%, China 3.04%, Thailand 2.46%, Saudi Arabia 2.37%, Indonesia 1.87%, Morocco 1.85%, Turkey 1.60%, Iraq 1.53%, Pakistan 1.39%.

“Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras. However, in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes.” concludes XLab‘s report. “These devices generally suffer from problems like firmware vulnerabilities, pre-installed malicious components, weak passwords, and lack of security update mechanisms, making them extremely easy for attackers to control long-term and use for large-scale cyberattacks. One of our motives for disclosing the Kimwolf botnet this time is to call on the security community to give due attention to smart TV-related devices.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)