A massive new DDoS botnet has already snared 1.8 million devices - here's what we know about Kimwolf

News
By published

Researchers discovered a new botnet called Kimwolf

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Kimwolf, an Android botnet with 1.8 million infected devices, is rapidly evolving using ENS for resilience
  • Its code and infrastructure overlap with AISURU, indicating both belong to the same threat group
  • AISURU remains one of the most destructive botnets, recently peaking at 29.7 Tbps in DDoS attacks

Cybersecurity researchers have spotted a mjor malicious botnet comprising almost two million devices which is reportedly capable of more than “just” Distributed Denial of Service (DDoS) attacks.

QiAnXin XLab published a new report on Kimwolf, an Android-based botnet that primarily targets TVs, set-top boxes, and tablets. At the moment, it infected roughly 1.8 million devices, mostly in Brazil, India, the U.S., Argentina, South Africa, and the Philippines.

How the devices get infected is still unknown, but XLab found the majority of the victims are in residential network environments, and belong to these brands: TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10.

Owned by AISURU?

The researchers have been tracking Kimwolf for a little while now and found that the botnet was taken down multiple times already but has always returned stronger.

"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability," XLab researchers said.

They also said that the botnet’s source code and C2 infrastructure overlaps significantly with that of AISURU, currently one of the most destructive botnets in existence.

"These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices," the researchers explained. "They actually belong to the same hacker group."

AISURU is a botnet that’s made multiple headlines recently for breaking all sorts of DDoS records.

Earlier this month, Cloudflare released its 2025 Q3 DDoS threat report, detailing an attack by “the apex of botnets”. In the report, the CDN giant said AISURU counts anywhere between one and four million infected devices, and that it mounted a DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).

Cloudflare described it as a “UDP carpet-bombing attack bombarding an average of 15K destination ports per second”.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.