top of page
Search

Kimwolf Android Botnet Infects Millions, Launches DDoS Attacks

  • Dec 21, 2025
  • 2 min read

Key Findings


  • The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes

  • It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection

  • The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period

  • Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection


Background


  • The Kimwolf botnet was first discovered by researchers in October 2025, when a new sample with a standout C2 domain was analyzed

  • Within a week, the C2 domain had soared in popularity, even surpassing Google in Cloudflare's global rankings

  • Analysis revealed Kimwolf to be a large-scale Android botnet using the wolfSSL library, with capabilities including DDoS, proxy forwarding, reverse shell, and file management


Botnet Capabilities and Infrastructure


  • Kimwolf primarily targets TV boxes, with versions tracked using a "niggabox + v[number]" naming pattern

  • It uses advanced techniques like encryption, DNS over TLS, and elliptic curve digital signatures to evade detection

  • The botnet's infrastructure spans multiple C2 domains, global time zones, and versions, making it difficult to estimate the full scope of infections

  • Researchers observed around 2.7 million interacting IPs over a three-day period, indicating an infection scale exceeding 1.8 million devices


DDoS Attacks and Resilience


  • Kimwolf has been observed launching massive DDoS attacks, issuing over 1.7 billion commands between November 19-22

  • To maintain resilience, the botnet has adopted the use of ENS blockchain domains after its C2 domains were taken down multiple times

  • Observations and comparisons with the Aisuru botnet suggest Kimwolf's DDoS capacity could reach up to 30 Tbps


Global Spread and Impact


  • The Kimwolf botnet has infected devices in 222 countries and regions, with the top 15 countries accounting for over 70% of the infections

  • Brazil, India, and the USA are the most affected, with 14.63%, 12.71%, and 9.58% of the global infections, respectively

  • Researchers emphasize the need for increased security attention on smart TV and TV box devices, which are susceptible to issues like firmware vulnerabilities and weak passwords


Sources


  • https://securityaffairs.com/185921/malware/massive-android-botnet-kimwolf-infects-millions-strikes-with-ddos.html

  • https://www.instagram.com/p/DSX9D8DE8re/

  • https://www.securityweek.com/kimwolf-android-botnet-ensnares-1-8-million-devices/

  • https://cyberinsider.com/kimwolf-botnet-infected-1-8-million-android-tv-boxes-worldwide/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page