A newly documented Android DDoS botnet dubbed Kimwolf has infected approximately 1.83 million Android-based devices in a short time, with a primary focus on consumer electronics such as smart TVs, TV boxes, and Android tablets. Analysis by QiAnXin XLab shows that this botnet is already one of the most significant threats targeting Android TV ecosystems and low-maintained smart devices.
Scale of the Kimwolf Android Botnet and Global Footprint
Kimwolf’s activity surged sharply at the end of 2024. Between 19 and 22 November, one of its command-and-control (C2) domains, 14emeliaterracewestroxburyma02132[.]su, generated such an extreme volume of traffic that it entered Cloudflare’s top 100 most active domains, briefly surpassing even major online platforms by request volume. This indicates substantial levels of both control traffic and attack traffic originating from the botnet.
When researchers gained temporary control over one of Kimwolf’s C2 domains in early December, they observed around 1.83 million unique bot IP addresses beaconing back. Infections are globally distributed, with Brazil, India, the United States, Argentina, South Africa, and the Philippines showing the highest concentration of compromised devices.
Among the affected hardware are many popular Android TV boxes and smart TV models, including TV BOX, SuperBOX, X96Q, SmartTV, MX10 and others, which are often sold cheaply, shipped with outdated firmware, and rarely receive security updates.
Links Between Kimwolf and the Aisuru DDoS Botnet
Indicators collected by QiAnXin XLab suggest that Kimwolf is closely related to the Aisuru botnet, which was associated with some of the most powerful DDoS attacks reported in 2024. From September through November, both botnets propagated via identical infection scripts and were frequently observed coexisting on the same endpoint—behaviour that is unusual for competing criminal operations, which typically remove rival malware.
Further overlaps include matching APK signing certificates on VirusTotal, including samples signed with the distinctive name “John Dinglebert Dinglenut VIII VanSack Smith”, and a shared loader server at 93.95.112[.]59, which distributed APK payloads for both botnets. These correlations support the theory that Kimwolf likely evolved from Aisuru’s codebase and was split off as a separate project to evade signature-based detection and complicate attribution of attacks.
Technical Profile: Android NDK, ENS, and EtherHiding
Kimwolf is implemented using the Android NDK (Native Development Kit), allowing the malware to run closer to the hardware layer. Native code is generally harder to analyze and can more easily bypass conventional antivirus engines that focus on high-level Android application behavior.
Once installed, Kimwolf supports multiple malicious functions: DDoS attacks, proxy chaining, reverse shells, and remote file-system control. This transforms a smart TV or TV box into a fully controllable node inside a larger criminal infrastructure.
Abusing Ethereum Name Service and EtherHiding
After segments of its C2 infrastructure were repeatedly disrupted, Kimwolf’s operators moved to a more resilient architecture based on the Ethereum Name Service (ENS) and a technique known as EtherHiding. In the latest variants observed as of 12 December, the bot no longer retrieves C2 IPs from a conventional DNS record; instead, it queries data tied to the ENS name pawsatyou[.]eth.
In technical terms, the malware fetches a value from a transaction field on the Ethereum blockchain, extracts an IPv6 address, and then decodes it. The last four bytes are processed with an XOR operation using the key 0x93141715 to derive the actual C2 address. Because this configuration data is stored on a decentralized blockchain rather than a single server, blocking and tracking the C2 infrastructure becomes significantly more difficult. Similar EtherHiding techniques were previously documented in 2023 in attacks abusing Binance Smart Chain.
Monetization Strategy: From DDoS Botnet to Proxy Network
Although Kimwolf is branded and structured as a DDoS botnet, telemetry reveals that over 96% of issued commands are related to using infected devices as proxies, not as DDoS cannons. The attackers deploy a Rust-based Command Client module onto compromised Android devices and integrate the ByteConnect SDK, turning the botnet into a distributed proxy network that can be monetized.
This effectively converts millions of smart TVs and TV boxes into stealth residential proxy nodes. Their bandwidth can be resold on traffic markets to other threat actors for credential stuffing, ad fraud, data scraping, or layered attack chains. This business model mirrors other recent large-scale Android and IoT botnets such as Badbox, Bigpanzi, and Vo1d, and reflects a broader shift since the Mirai era: attackers are increasingly targeting Android platforms and smart TVs rather than only routers and IP cameras.
Risks for Users and Practical Protection of Android TVs
The rise of Kimwolf demonstrates that Android TVs and TV boxes have become prime cybercrime targets. Even if such devices do not store sensitive information, they can silently participate in DDoS attacks and proxy services against organizations worldwide, creating legal and reputational risks for their owners and additional load on home networks.
To reduce the likelihood of compromise on Android TV and TV box devices, the following measures are recommended:
- Install apps only from trusted sources such as Google Play or official vendor app stores; avoid third-party APKs from forums and file-sharing sites.
- Avoid pirated IPTV services and “free streaming” apps, which are frequently used as malware delivery channels.
- Regularly update firmware and enable automatic updates where possible for smart TVs and TV boxes.
- Change default passwords and disable unnecessary remote access services such as ADB or web-based admin panels.
- Segment smart devices into a dedicated guest or IoT network, isolating them from laptops, smartphones, and work devices.
The rapid growth of the Kimwolf Android botnet and its use of ENS and EtherHiding highlight how quickly cybercriminal tooling is evolving. Strengthening basic cyber hygiene, enforcing network segmentation, and monitoring for abnormal outbound traffic from smart TVs and TV boxes significantly lowers the risk that a “simple” streaming device will become part of a multimillion-node DDoS or proxy infrastructure. Proactive measures taken now will reduce the impact of the next wave of large-scale Android and IoT botnet campaigns.
