QiAnXin
“Kimwolf is a botnet compiled using NDK [Native Development Kit]”In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management capabilities,” the company said in a report released today.
The hyperscale botnet is estimated to have issued 1.7 billion DDoS attack commands in a three-day period from November 19 to 22, 2025, and around the same time one of its command and control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – #1 on Cloudflare’s list of top 100 domains, even surpassing Google at one point.
Kimwolf’s primary infection target is TV boxes deployed in residential network environments. Affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are dispersed around the world, with higher concentrations recorded in Brazil, India, the United States, Argentina, South Africa and the Philippines. However, the exact means by which malware propagates to these devices is currently unknown.
XLab said it began investigating the botnet after receiving Kimwolf “version 4” artifacts from a trusted community partner on October 24, 2025. Since then, eight more samples have been discovered in the last month.
“We observed that Kimwolf’s C2 domain was successfully removed by unknown parties on at least three occasions. [in December]has been forced to switch to the use of ENS (Ethereum Name Service) to upgrade its tactics and strengthen its infrastructure, demonstrating its strong evolutionary capabilities,” XLab researchers said.
That’s not all. Earlier this month, XLab successfully took control of one of the C2 domains, allowing us to assess the size of the botnet.
What’s interesting about Kimwolf is that it’s tied to the infamous AISURU botnet, which is behind record-breaking DDoS attacks over the past year. It is suspected that the attackers reused AISURU’s code in its early stages before choosing to develop the Kimwolf botnet to evade detection.
XLab said some of these attacks may not be due to AISURU alone, and that Kim Wolf may be participating in or even leading the effort.
“These two major botnets propagated via the same infection script and co-existed within the same batch of devices from September to November,” the company said. “Actually, they belong to the same hacker group.”
This rating is based on the similarity of APK packages uploaded to the VirusTotal platform, in some cases even using the same code signing certificate (‘John Dinglebert Dinglenut VIII VanSack Smith’). Further conclusive evidence arrived on December 8, 2025 with the discovery of an active downloader server (“93.95.112”).[.]59″) contained scripts that referenced both Kimwolf and AISURU APKs.
The malware itself is very simple. Once launched, it ensures that only one instance of the process is running on the infected device, proceeds to decrypt the embedded C2 domain, uses DNS-over-TLS to obtain the C2 IP address, and connects to it to receive and execute commands.
The latest version of the botnet malware, detected on December 12, 2025, introduces a technique known as EtherHiding that leverages the ENS domain (“pawsatyou”).[.]eth”) to obtain the actual C2 IP from the associated smart contract (0xde569B825877c47fE637913eCE5216C644dE081F) to increase resiliency to infrastructure removal efforts.
Specifically, it involves extracting the IPv6 address from the “lol” field of the transaction, taking the last 4 bytes of the address, and performing an XOR operation with the key “0x93141715” to obtain the actual IP address.
In addition to encrypting sensitive data related to its C2 servers and DNS resolvers, Kimwolf uses TLS encryption for network communications to receive DDoS commands. In total, the malware supports 13 DDoS attack techniques via UDP, TCP, and ICMP. According to XLab, the targets are in the United States, China, France, Germany, and Canada.
Further analysis revealed that over 96% of the commands were related to the use of bot nodes to provide proxy services. This indicates that attackers are trying to exploit the bandwidth of compromised devices to maximize their profits. As part of the effort, a Rust-based command client module will be deployed to form a proxy network.
The node also provides the ByteConnect Software Development Kit (SDK), a monetization solution that allows app developers and IoT device owners to monetize their traffic.
“The massive botnet originated with Mirai in 2016 and has primarily focused its infections on IoT devices such as home broadband routers and cameras,” XLab said. “However, in recent years, information has been published about multiple million-level megabotnets such as Badbox, Bigpanzi, Vo1d, and Kimwolf, indicating that some attackers are starting to focus on various smart TVs and TV boxes.”
Source link
