Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kimwolf DDoS botnet expansion across Android TVs, set-top boxes, and tablets

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The Kimwolf botnet now spans 1.8 million infected devices, giving it the scale to drive high-volume DDoS abuse and broaden downstream risk. It primarily targets Android-based TVs, set-top boxes, and tablets, with recent activity concentrated across Brazil, India, the U.S., Argentina, South Africa, and the Philippines. The malware has also shifted to ENS/EtherHiding to harden command-and-control infrastructure, while issuing 1.7 billion DDoS commands in just three days.

Related Happenings

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies

Campaign
First: 29.01.2026 16:55 Last: 29.01.2026 16:55 Sources 1

How related: These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices,

About this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...

Latest development: 20.03.2026 02:49

The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.

Open Happening

Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

Malware Activity
First: 05.01.2026 18:41 Last: 05.01.2026 18:41 Sources 1

About this happening: The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.

Open Happening

Kimwolf botnet expands through residential proxy abuse

Malware Activity
First: 02.01.2026 16:20 Last: 02.01.2026 16:20 Sources 1

About this happening: The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...

Latest development: 29.01.2026 19:15

Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.

Open Happening

Timeline

  1. 17.12.2025 20:09 1 articles · 5mo ago

    XLab begins Kimwolf investigation after version 4 artifact

    Technical Analysis Update

    QiAnXin XLab begins investigating Kimwolf after receiving a version 4 artifact from a trusted community partner, establishing the malware family that would later be tied to Android-based TVs, set-top boxes, and tablets.

    Show sources
    Open in new tab
  3. 17.12.2025 20:09 1 articles · 5mo ago

    Kimwolf adopts EtherHiding through ENS domain

    Technical Analysis Update

    Recent Kimwolf samples add EtherHiding, using the ENS domain pawsatyou[.]eth and smart contract 0xde569B825877c47fE637913eCE5216C644dE081F to retrieve the C2 IP, with the last four bytes of an IPv6 address XORed with 0x93141715 to derive the address.

    Show sources
    Open in new tab
  4. 17.12.2025 20:09 2 articles · 5mo ago

    XLab discloses Kimwolf scale and capabilities

    Initial Disclosure

    QiAnXin XLab publicly discloses Kimwolf as a DDoS botnet with at least 1.8 million infected Android-based TVs, set-top boxes, and tablets, primary residential TV-box targets, 13 DDoS attack methods, proxy forwarding, reverse shell, file management, TLS-encrypted command handling, and 1.7 billion DDoS commands issued between November 19 and 22, 2025.

    Show sources
    Open in new tab