top of page
Search

Kimwolf Android Botnet Infects Millions, Launches DDoS Attacks

  • Dec 21, 2025
  • 2 min read

Key Findings


  • The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes

  • It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection

  • The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period

  • Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection


Background


  • The Kimwolf botnet was first discovered by researchers in October 2025, when a new sample with a standout C2 domain was analyzed

  • Within a week, the C2 domain had soared in popularity, even surpassing Google in Cloudflare's global rankings

  • Analysis revealed Kimwolf to be a large-scale Android botnet using the wolfSSL library, with capabilities including DDoS, proxy forwarding, reverse shell, and file management


Botnet Capabilities and Infrastructure


  • Kimwolf primarily targets TV boxes, with versions tracked using a "niggabox + v[number]" naming pattern

  • It uses advanced techniques like encryption, DNS over TLS, and elliptic curve digital signatures to evade detection

  • The botnet's infrastructure spans multiple C2 domains, global time zones, and versions, making it difficult to estimate the full scope of infections

  • Researchers observed around 2.7 million interacting IPs over a three-day period, indicating an infection scale exceeding 1.8 million devices


DDoS Attacks and Resilience


  • Kimwolf has been observed launching massive DDoS attacks, issuing over 1.7 billion commands between November 19-22

  • To maintain resilience, the botnet has adopted the use of ENS blockchain domains after its C2 domains were taken down multiple times

  • Observations and comparisons with the Aisuru botnet suggest Kimwolf's DDoS capacity could reach up to 30 Tbps


Global Spread and Impact


  • The Kimwolf botnet has infected devices in 222 countries and regions, with the top 15 countries accounting for over 70% of the infections

  • Brazil, India, and the USA are the most affected, with 14.63%, 12.71%, and 9.58% of the global infections, respectively

  • Researchers emphasize the need for increased security attention on smart TV and TV box devices, which are susceptible to issues like firmware vulnerabilities and weak passwords


Sources


  • https://securityaffairs.com/185921/malware/massive-android-botnet-kimwolf-infects-millions-strikes-with-ddos.html

  • https://www.instagram.com/p/DSX9D8DE8re/

  • https://www.securityweek.com/kimwolf-android-botnet-ensnares-1-8-million-devices/

  • https://cyberinsider.com/kimwolf-botnet-infected-1-8-million-android-tv-boxes-worldwide/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page