Kimwolf botnet infects Android TV streaming boxes for DDoS and proxy abuse
Malware Activity
Summary
Hide ▲
Show ▼
Kimwolf/Aisuru botnet activity now spans Android TV streaming devices and record-setting DDoS attacks. Cloudflare says the latest campaign, “The Night Before Christmas,” peaked at 31.4 Tbps and 200 million requests per second, targeting mostly telecommunications companies and detected on December 19. The botnet’s broader abuse has included compromised IoT devices and routers, with earlier records of 29.7 Tbps and 15.72 Tbps also tied to Aisuru. Authorities from the United States, Germany, and Canada have now disrupted C2 infrastructure used by Aisuru, KimWolf, JackSkid, and Mossad to infect IoT devices and launch hundreds of thousands of DDoS attacks.
Related Happenings
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
H score24
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Dort-linked DDoS, doxing, and swatting campaign against researchers
Campaign
H score38
First: 22.05.2026 00:50
Last: 22.05.2026 00:50
Sources 1
About this happening:
The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Dort-linked DDoS, doxing, and swatting campaign against researchers
CampaignAbout this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Brazilian ISP botnet DDoS campaign
Campaign
H score36
First: 30.04.2026 17:04
Last: 30.04.2026 17:04
Sources 1
About this happening:
The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
Brazilian ISP botnet DDoS campaign
CampaignAbout this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
Timeline
-
20.03.2026 10:05 1 articles · 3mo ago
U.S., Germany, and Canada take down Aisuru and KimWolf C2 infrastructure
Legal Policy Action UpdateAuthorities from the United States, Germany, and Canada disrupted Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices and launch hundreds of thousands of DDoS attacks, including attacks against IP addresses owned by the Department of Defense Information Network (DoDIN).
Show sources
- International joint action disrupts world’s largest DDoS botnets — www.bleepingcomputer.com — 20.03.2026 10:05
-
26.01.2026 18:11 2 articles · 5mo ago
Kimwolf gains unauthorized access to Badbox 2.0 panel
Campaign Scope UpdateKimwolf botmasters appear to have gained unauthorized access to the Badbox 2.0 botnet control panel, which could let them load Kimwolf malware directly onto Android TV boxes associated with Badbox 2.0.
Show sources
- Who Operates the Badbox 2.0 Botnet? — krebsonsecurity.com — 26.01.2026 18:11
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack — www.bleepingcomputer.com — 29.01.2026 16:55
-
09.01.2026 01:23 1 articles · 6mo ago
Kimwolf proxy traffic observed on a Resi Rack IP
Detection Ioc UpdateA Resi Rack Internet address was already being used by Kimwolf to direct proxy traffic, showing the botnet's residential-proxy infrastructure was active by November 24, 2025.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 6mo ago
XLab links Kimwolf and Aisuru to the same infrastructure
Attribution UpdateXLab confirmed that Kimwolf and Aisuru were being distributed from the same Internet address at 93.95.112[.]59, strengthening the attribution link between the two botnet strains and their operators.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 6mo ago
Resi Rack receives Kimwolf notice and remediates abuse
Mitigation Patch UpdateResi Rack co-founder Cassidy Hales said the company received a December 10 notification about Kimwolf using its network and took care of the issue immediately after learning that a customer was leasing servers for the abuse.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
09.01.2026 01:23 1 articles · 6mo ago
Kimwolf operators retaliate against Synthient after public reporting
Victim Impact UpdateHours after the Kimwolf story was published, the resi[.]to Discord server was erased, Synthient's website was hit with a DDoS attack, and the Kimwolf botmasters used their botnet to dox Synthient founder Benjamin Brundage.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
17.12.2025 02:00 2 articles · 6mo ago
XLab publishes Kimwolf deep dive on DDoS and proxy abuse
Initial DisclosureXLab published a deep dive on Kimwolf, describing infected devices being forced into DDoS attacks and abusive Internet traffic relaying for residential proxy services while also noting overlap with Aisuru.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23