- Kimwolf, an Android botnet with 1.8 million infected devices, rapidly evolves using ENS for resilience
- Its code and infrastructure overlap with AISURU, indicating that both belong to the same threat group
- AISURU remains one of the most destructive botnets, recently peaking at 29.7 Tbps in DDoS attacks
Cybersecurity researchers have discovered a major malicious botnet comprising nearly two million devices that is reportedly capable of more than “just” Distributed Denial of Service (DDoS) attacks.
QiAnXin XLab released a new report on Kimwolf, an Android-based botnet that primarily targets TVs, set-top boxes, and tablets. Currently, it infected about 1.8 million devices, mostly in Brazil, India, the United States, Argentina, South Africa, and the Philippines.
How the devices get infected is still unknown, but XLab found that the majority of victims are in residential network environments and belong to these brands: TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10.
Owned by AISURU?
The researchers have been following Kimwolf for a while now and found that the botnet has already been taken down several times but has always returned stronger.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December]forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.
They also said that the botnet’s source code and C2 infrastructure overlap significantly with AISURU, which is currently one of the most destructive botnets in existence.
“These two large botnets propagated through the same infection scripts between September and November and coexisted in the same batch of devices,” the researchers explained. “They actually belong to the same hacker group.”
AISURU is a botnet that recently made several headlines for breaking all sorts of DDoS records.
Earlier this month, Cloudflare released its 2025 Q3 DDoS threat report, detailing an attack from the “topnet of botnets.” In the report, the CDN giant said that AISURU counted somewhere between one and four million infected devices and that it mounted a DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).
Cloudflare described it as a “UDP carpet bombing attack that bombarded an average of 15K destination ports per second”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
