Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kimwolf DDoS botnet expansion across Android TVs, set-top boxes, and tablets

Malware Activity
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

The Kimwolf botnet now spans 1.8 million infected devices, giving it the scale to drive high-volume DDoS abuse and broaden downstream risk. It primarily targets Android-based TVs, set-top boxes, and tablets, with recent activity concentrated across Brazil, India, the U.S., Argentina, South Africa, and the Philippines. The malware has also shifted to ENS/EtherHiding to harden command-and-control infrastructure, while issuing 1.7 billion DDoS commands in just three days.

Related Happenings

AryStinger legacy-router reconnaissance and proxy network

Malware Activity
H score61 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...

AryStinger botnet turns outdated routers into proxy executors

Malware Activity
H score60 First: 21.06.2026 17:14 Last: 21.06.2026 17:14 Sources 1

About this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
H score22 First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Timeline

  1. 17.12.2025 20:09 1 articles · 6mo ago

    XLab begins Kimwolf investigation after version 4 artifact

    Technical Analysis Update

    QiAnXin XLab begins investigating Kimwolf after receiving a version 4 artifact from a trusted community partner, establishing the malware family that would later be tied to Android-based TVs, set-top boxes, and tablets.

    Show sources
  2. 17.12.2025 20:09 1 articles · 6mo ago

    Kimwolf adopts EtherHiding through ENS domain

    Technical Analysis Update

    Recent Kimwolf samples add EtherHiding, using the ENS domain pawsatyou[.]eth and smart contract 0xde569B825877c47fE637913eCE5216C644dE081F to retrieve the C2 IP, with the last four bytes of an IPv6 address XORed with 0x93141715 to derive the address.

    Show sources
  3. 17.12.2025 20:09 2 articles · 6mo ago

    XLab discloses Kimwolf scale and capabilities

    Initial Disclosure

    QiAnXin XLab publicly discloses Kimwolf as a DDoS botnet with at least 1.8 million infected Android-based TVs, set-top boxes, and tablets, primary residential TV-box targets, 13 DDoS attack methods, proxy forwarding, reverse shell, file management, TLS-encrypted command handling, and 1.7 billion DDoS commands issued between November 19 and 22, 2025.

    Show sources