Menu
Kimwolf botnet has infected over 1.8 million Android devices worldwide, primarily targeting smart TVs, set-top boxes, and tablets like TV BOX, SuperBOX, X96Q, and MX10, turning them into a massive army for DDoS attacks. Discovered by QiAnXin XLab on October 24, 2025, via a suspicious malware sample, the botnet’s command and control (C2) domain 14emeliaterracewestroxburyma02132.su briefly topped Cloudflare’s global rankings, surpassing Google, signaling its explosive scale.
Between November 19-22, 2025, Kimwolf unleashed 1.7 billion DDoS commands over three days, supporting 13 attack methods via UDP, TCP, and ICMP, targeting IPs in the US, China, France, Germany, and Canada. Infections span 222 countries, with hotspots in Brazil, India, the US, Argentina, South Africa, and the Philippines, peaking at nearly 1.83 million active bots on December 4. The malware uses wolfSSL for encryption, DNS over TLS (DoT) for evasion, and innovative “EtherHiding” via Ethereum Name Service (ENS) domains to obscure real C2 servers extracting IPv6 addresses from blockchain transactions, XORing with key 0x93141715.
Linked to the AISURU botnet, Kimwolf also monetizes via ByteConnect SDK for residential proxies, potentially earning $88,000 monthly, with DDoS capacity up to 30 Tbps. Propagation likely exploits firmware flaws or trojanized APKs in residential networks. Sinkholing efforts revealed 2.7 million unique IPs connecting, confirming over 1.8 million devices under control. This hyper-scale threat underscores IoT vulnerabilities, urging firmware updates and network monitoring.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
