Kimwolf DDoS botnet expansion across Android TVs, set-top boxes, and tablets
Malware Activity
Summary
Hide ▲
Show ▼
The Kimwolf botnet now spans 1.8 million infected devices, giving it the scale to drive high-volume DDoS abuse and broaden downstream risk. It primarily targets Android-based TVs, set-top boxes, and tablets, with recent activity concentrated across Brazil, India, the U.S., Argentina, South Africa, and the Philippines. The malware has also shifted to ENS/EtherHiding to harden command-and-control infrastructure, while issuing 1.7 billion DDoS commands in just three days.
Related Happenings
AryStinger legacy-router reconnaissance and proxy network
Malware Activity
H score61
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router reconnaissance and proxy network
Malware ActivityAbout this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
H score22
First: 06.05.2026 23:21
Last: 06.05.2026 23:21
Sources 1
About this happening:
The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware ActivityAbout this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Timeline
-
17.12.2025 20:09 1 articles · 6mo ago
XLab begins Kimwolf investigation after version 4 artifact
Technical Analysis UpdateQiAnXin XLab begins investigating Kimwolf after receiving a version 4 artifact from a trusted community partner, establishing the malware family that would later be tied to Android-based TVs, set-top boxes, and tablets.
Show sources
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09
-
17.12.2025 20:09 1 articles · 6mo ago
Downloader server links Kimwolf and AISURU
Attribution UpdateAn active downloader server at 93.95.112[.]59 is found with a script referencing APKs for both Kimwolf and AISURU, strengthening the assessment that the two botnets share infrastructure or operators.
Show sources
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09
-
17.12.2025 20:09 1 articles · 6mo ago
Kimwolf adopts EtherHiding through ENS domain
Technical Analysis UpdateRecent Kimwolf samples add EtherHiding, using the ENS domain pawsatyou[.]eth and smart contract 0xde569B825877c47fE637913eCE5216C644dE081F to retrieve the C2 IP, with the last four bytes of an IPv6 address XORed with 0x93141715 to derive the address.
Show sources
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09
-
17.12.2025 20:09 2 articles · 6mo ago
XLab discloses Kimwolf scale and capabilities
Initial DisclosureQiAnXin XLab publicly discloses Kimwolf as a DDoS botnet with at least 1.8 million infected Android-based TVs, set-top boxes, and tablets, primary residential TV-box targets, 13 DDoS attack methods, proxy forwarding, reverse shell, file management, TLS-encrypted command handling, and 1.7 billion DDoS commands issued between November 19 and 22, 2025.
Show sources
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09