Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

A massive botnet called Kimwolf has infected approximately 1.8 million Android-based TVs, set-top boxes, and tablets worldwide, orchestrating large-scale distributed denial-of-service attacks of various techniques and methods, according to security researchers at QiAnXin XLab.

The botnet issued an estimated 1.7 billion DDoS attack commands within just three days in November 2025, briefly making one of its command-and-control domains more popular than Google in Cloudflare's rankings. Security experts believe Kimwolf may be linked to the notorious AISURU botnet, suggesting both operations belong to the same threat actor group.

Global Infection and Sophisticated Infrastructure

The Kimwolf botnet primarily targets Android-based TV devices deployed in residential networks, with infections concentrated in Brazil, India, the United States, Argentina, South Africa, and the Philippines. Affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10, though researchers have not yet determined exactly how the malware spreads to these devices.

QiAnXin XLab began investigating the botnet after receiving a "version 4" sample in October 2025. Their research revealed the botnet has been evolving rapidly, adapting to takedown attempts by implementing sophisticated infrastructure protection mechanisms.

"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability," XLab researchers explained in their report.

In early December, the security team managed to seize control of one of the command-and-control domains, allowing them to assess the botnet's scale and confirm approximately 1.83 million infected devices at its peak.

The botnet employs several advanced techniques to ensure resilience. Recent versions detected in mid-December 2025 introduced an "EtherHiding" method that leverages Ethereum Name Service to retrieve command-and-control server information from blockchain smart contracts, making takedown efforts more difficult.

Connection to AISURU and Technical Capabilities

Evidence suggests Kimwolf is closely related to the infamous AISURU botnet, which has been responsible for record-breaking DDoS attacks over the past year. Researchers believe the attackers initially reused AISURU code before developing Kimwolf to evade detection.

"These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices," XLab researchers stated. "They actually belong to the same hacker group."

This assessment is supported by similarities in APK packages found on the VirusTotal platform, with some using identical code signing certificates. Definitive evidence emerged on December 8, 2025, when researchers discovered an active downloader server containing scripts that referenced both Kimwolf and AISURU APKs.

The malware's functionality is straightforward but effective. Upon installation, it ensures only one instance runs on the infected device, decrypts embedded command-and-control domain information, and uses DNS-over-TLS to obtain server addresses. The malware then connects to these servers to receive and execute commands.

Kimwolf supports 13 different DDoS attack methods across UDP, TCP, and ICMP protocols. Attack targets are primarily located in the United States, China, France, Germany, and Canada. Interestingly, over 96% of observed commands relate to using infected devices as proxy services, indicating the attackers are attempting to monetize the compromised bandwidth.

Technical Indicators of Compromise

For security professionals monitoring for possible infections, the following indicators may help identify Kimwolf activity on networks:

• Unusual outbound traffic to blockchain services
• DNS-over-TLS traffic from devices that typically don't use this protocol
• Unexpected high bandwidth consumption from smart TV devices
• Connection attempts to known command-and-control domains

This type of sophisticated malware using advanced evasion techniques demonstrates how threat actors continue to evolve their tactics against detection systems.

The Shifting IoT Threat Landscape

The emergence of Kimwolf represents a concerning trend in the IoT security landscape. While earlier botnets like Mirai (2016) primarily targeted devices such as home routers and cameras, attackers have increasingly turned their attention to smart TVs and streaming devices.

"In recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes," the researchers noted.

This shift mirrors the growing popularity of smart entertainment devices in homes worldwide. As these devices become more common, they increasingly present valuable targets for botnet operators seeking to build massive networks for malicious purposes.

According to a recent report from the Cybersecurity and Infrastructure Security Agency (CISA), IoT devices now represent one of the fastest-growing attack surfaces in both consumer and enterprise environments, with entertainment devices often receiving less security scrutiny than traditional computing devices.

Historical Context of IoT Botnets

The evolution of IoT botnets shows a clear progression from simpler attacks to more sophisticated operations:

• 2016: Mirai botnet targets IP cameras and home routers
• 2019: Emergence of specialized IoT malware families
• 2023: AISURU botnet demonstrates blockchain-based resilience
• 2025: Kimwolf shows advanced evasion and monetization techniques

This progression highlights how threat actors continuously adapt their techniques to exploit new categories of vulnerable devices.

Protecting Your Devices

The discovery of Kimwolf highlights the importance of implementing comprehensive data protection strategies for all connected devices, not just computers and smartphones. Here are key steps consumers and businesses can take to protect their smart TVs and similar devices:

1. Regularly update firmware and software on all smart devices to patch security vulnerabilities

2. Change default passwords on all devices and use strong, unique credentials

3. Consider implementing network segmentation to isolate IoT devices from critical systems

Smart TV owners should be particularly vigilant about unusual behavior, such as unexpected performance issues, which could indicate infection. Organizations should also implement robust monitoring systems capable of detecting unusual network traffic that might signal botnet activity.

Advanced Protection Measures

For organizations with large deployments of smart TVs or entertainment devices, additional protections should be considered:

• Network monitoring: Deploy tools that can detect abnormal traffic patterns characteristic of botnet communication
• Device inventory management: Maintain accurate records of all connected devices and their firmware versions
• Security baseline policies: Establish minimum security requirements for all IoT devices before network connection

The evolution of botnets like Kimwolf, which increasingly target entertainment devices, represents what cybersecurity experts have long warned about: as our homes fill with more connected technology, attackers will find new ways to exploit these devices for profit and malicious activities.