Cybersecurity

Kimwolf Botnet Hijacks 1.8 Million Android Tvs, Launches...

2025-12-17 0 views admin
Kimwolf Botnet Hijacks 1.8 Million Android Tvs, Launches...

A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab.

"Kimwolf is a botnet compiled using the NDK [Native Development Kit]," the company said in a report published today. "In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions."

The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – came first in Cloudflare's list of top 100 domains, briefly even surpassing Google.

Kimwolf's primary infection targets are TV boxes deployed in residential network environments. Some of the affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. That said, the exact means by which the malware is propagated to these devices is presently unclear.

XLab said its investigation into the botnet commenced after it received a "version 4" artifact of Kimwolf from a trusted community partner on October 24, 2025. Since then, an additional eight samples were discovered last month.

"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability," XLab researchers said.

That's not all. Earlier this month, XLab managed to successfully seize control of one of the C2 domains, enabling it to assess the scale of the botnet.

An interesting aspect of Kimwolf is that it's tied to the infamous AISURU botnet, which has been behind some of the record-breaking DDoS attacks over the past year. It's suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection.

XLab said it's possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts.

Source: The Hacker News

🏷️ Tags

malwareattack

More from Cybersecurity

Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

2025-12-19 0
Microsoft Confirms Teams Is Down And Messages Are Delayed 2025

Microsoft Confirms Teams Is Down And Messages Are Delayed 2025

2025-12-19 0
Nigeria Arrests Dev Of Microsoft 365 'raccoon0365' Phishing Platform

Nigeria Arrests Dev Of Microsoft 365 'raccoon0365' Phishing Platform

2025-12-19 0
Russia-linked Hackers Use Microsoft 365 Device Code Phishing For...

Russia-linked Hackers Use Microsoft 365 Device Code Phishing For...

2025-12-19 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views