A newly discovered Android botnet dubbed “Kimwolf” has silently compromised over 1.8 million devices globally, primarily targeting Android TV boxes in residential networks.
The massive operation, which at one point saw its command-and-control (C2) domain surpass Google in global popularity rankings, represents a significant evolution in IoT malware sophistication and scale.
Security researchers at XLab first identified the threat in late October 2025, noting its rapid expansion. By early December, the botnet had amassed approximately 2.7 million distinct source IP addresses, with a conservative estimate of 1.8 million active infected devices.
The malware targets explicitly Android-based set-top boxes, including popular models like SuperBOX, X96Q, and MX10, effectively turning home entertainment devices into a powerful weapon for cybercriminals.
Kimwolf distinguishes itself through advanced evasion techniques rarely seen in similar malware.
It employs DNS over TLS (DoT) to hide its traffic and recently adopted “EtherHiding” technology, utilizing Ethereum Name Service (ENS) domains to make its infrastructure nearly impossible to take down.
Statistically, the cumulative infected IPs exceeded 3.66 million, reaching an activity peak on December 4 with single-day node IPs as high as 1,829,977.
This resilience allows the botnet to maintain control even after traditional domains are seized.
Kimwolf Android Botnet
Technical analysis reveals the malware is compiled using the Native Development Kit (NDK) and integrates comprehensive capabilities including DDoS attacks, proxy forwarding, and reverse shells.
The script captured on the Downloader server 93.95.112.59 directly associated kimwolf (mreo31.apk) and aisuru (meow217) together.
The botnet’s aggressive nature was fully displayed between November 19 and 22, when it unleashed a staggering 1.7 billion DDoS attack commands in just three days.
This “crazy” spree targeted IP addresses globally, likely as a demonstration of power rather than for tactical gain.
Researchers estimate the botnet’s total attack capacity approaches 30 Terabits per second (Tbps), placing it among the most potent botnets currently active.
DDoS attack targets are spread across various industries globally. Attack targets are mainly concentrated in regions like the USA, China, France, Germany, and Canada.
Interestingly, forensic analysis links Kimwolf to the notorious “Aisuru” botnet group. Code comparisons revealed shared resources, identical encryption keys, and the reuse of specific signing certificates, indicating that the Aisuru operators redesigned their infrastructure to create Kimwolf, likely to evade improved detection systems.
Security Risks for Infected Users
Attackers appear to be monetizing the infected devices by leasing them out as residential proxies.
With millions of unpatched, powerful Android devices sitting in living rooms worldwide, they remain prime targets for sophisticated threat actors looking to build resilient, high-bandwidth botnets.
By deploying a component called “ByteConnect SDK,” the operators can route traffic through compromised TV boxes, potentially earning upwards of $88,000 monthly based on current infection rates.
The malware’s authors have also embedded taunting messages within the code, specifically targeting cybersecurity journalist Brian Krebs with derogatory domains and text outputs.
Experts warn that the rapid growth of Kimwolf highlights the critical security gaps in the smart TV ecosystem.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.