Kimwolf botnet infects Android TV streaming boxes for DDoS and proxy abuse
Malware Activity
Summary
Hide ▲
Show ▼
Kimwolf/Aisuru botnet activity now spans Android TV streaming devices and record-setting DDoS attacks. Cloudflare says the latest campaign, “The Night Before Christmas,” peaked at 31.4 Tbps and 200 million requests per second, targeting mostly telecommunications companies and detected on December 19. The botnet’s broader abuse has included compromised IoT devices and routers, with earlier records of 29.7 Tbps and 15.72 Tbps also tied to Aisuru. Authorities from the United States, Germany, and Canada have now disrupted C2 infrastructure used by Aisuru, KimWolf, JackSkid, and Mossad to infect IoT devices and launch hundreds of thousands of DDoS attacks.
Related Happenings
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Dort-linked DDoS, doxing, and swatting campaign against researchers
Campaign
First: 22.05.2026 00:50
Last: 22.05.2026 00:50
Sources 1
About this happening:
The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Dort-linked DDoS, doxing, and swatting campaign against researchers
CampaignAbout this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Brazilian ISP botnet DDoS campaign
Campaign
First: 30.04.2026 17:04
Last: 30.04.2026 17:04
Sources 1
About this happening:
The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
Brazilian ISP botnet DDoS campaign
CampaignAbout this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
Campaign
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
CampaignAbout this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
Timeline
-
20.03.2026 10:05 1 articles · 2mo ago
U.S., Germany, and Canada take down Aisuru and KimWolf C2 infrastructure
Legal Policy Action UpdateAuthorities from the United States, Germany, and Canada disrupted Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices and launch hundreds of thousands of DDoS attacks, including attacks against IP addresses owned by the Department of Defense Information Network (DoDIN).
Show sources
- International joint action disrupts world’s largest DDoS botnets — www.bleepingcomputer.com — 20.03.2026 10:05
-
26.01.2026 18:11 2 articles · 4mo ago
Kimwolf gains unauthorized access to Badbox 2.0 panel
Campaign Scope UpdateKimwolf botmasters appear to have gained unauthorized access to the Badbox 2.0 botnet control panel, which could let them load Kimwolf malware directly onto Android TV boxes associated with Badbox 2.0.
Show sources
- Who Operates the Badbox 2.0 Botnet? — krebsonsecurity.com — 26.01.2026 18:11
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack — www.bleepingcomputer.com — 29.01.2026 16:55
-
09.01.2026 01:23 1 articles · 4mo ago
Kimwolf proxy traffic observed on a Resi Rack IP
Detection Ioc UpdateA Resi Rack Internet address was already being used by Kimwolf to direct proxy traffic, showing the botnet's residential-proxy infrastructure was active by November 24, 2025.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 4mo ago
XLab links Kimwolf and Aisuru to the same infrastructure
Attribution UpdateXLab confirmed that Kimwolf and Aisuru were being distributed from the same Internet address at 93.95.112[.]59, strengthening the attribution link between the two botnet strains and their operators.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 4mo ago
Resi Rack receives Kimwolf notice and remediates abuse
Mitigation Patch UpdateResi Rack co-founder Cassidy Hales said the company received a December 10 notification about Kimwolf using its network and took care of the issue immediately after learning that a customer was leasing servers for the abuse.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 4mo ago
Kimwolf operators retaliate against Synthient after public reporting
Victim Impact UpdateHours after the Kimwolf story was published, the resi[.]to Discord server was erased, Synthient's website was hit with a DDoS attack, and the Kimwolf botmasters used their botnet to dox Synthient founder Benjamin Brundage.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
17.12.2025 02:00 2 articles · 5mo ago
XLab publishes Kimwolf deep dive on DDoS and proxy abuse
Initial DisclosureXLab published a deep dive on Kimwolf, describing infected devices being forced into DDoS attacks and abusive Internet traffic relaying for residential proxy services while also noting overlap with Aisuru.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23