top of page
perceptive_background_267k.jpg

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Published:

17 December 2025 at 18:09:00

Alert date:

17 December 2025 at 20:02:12

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Network Infrastructure

A new botnet called Kimwolf has infected 1.8 million Android-based devices including TVs, set-top boxes, and tablets to launch large-scale distributed denial-of-service (DDoS) attacks. The botnet is compiled using the Android Native Development Kit (NDK) and may be associated with another botnet known as AISURU. QiAnXin XLab researchers discovered this massive infection campaign targeting Android devices for DDoS operations. The scale of the botnet with nearly 2 million compromised devices represents a significant threat to internet infrastructure.

Technical details

Kimwolf is a DDoS botnet compiled using Android NDK that has infected 1.8 million Android-based TVs, set-top boxes, and tablets. The botnet issued 1.7 billion DDoS attack commands within three days (November 19-22, 2025). It integrates DDoS capabilities, proxy forwarding, reverse shell, and file management functions. Recent versions use EtherHiding technique with ENS domain 'pawsatyou[.]eth' to fetch C2 IP from smart contract. The malware supports 13 DDoS attack methods over UDP, TCP, and ICMP, uses TLS encryption for network communications, and deploys a Rust-based Command Client module for proxy services. Over 96% of commands relate to proxy services for bandwidth exploitation.

Mitigation steps:

Monitor for connections to the identified C2 domains and IP addresses. Watch for unusual network traffic patterns from Android TV devices and set-top boxes. Implement network segmentation to isolate IoT devices. Monitor for DNS-over-TLS queries to suspicious domains. Check for the presence of malicious APK packages with the identified code signing certificate 'John Dinglebert Dinglenut VIII VanSack Smith'. Monitor Ethereum transactions to the identified smart contract address.

Affected products:

Android-based TVs
Android set-top boxes
Android tablets
TV BOX
SuperBOX
HiDPTAndroid
P200
X96Q
XBOX
SmartTV
MX10

Related links:

https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html
https://developer.android.com/ndk
https://blog.xlab.qianxin.com/kimwolf-botnet-en/
https://thehackernews.com/2025/11/weekly-recap-fortinet-exploit-chrome-0.html#:~:text=environments.-
Microsoft%20Mitigates%20Record%2015.72%20Tbps%20DDoS%20Attack
https://www.virustotal.com/gui/file/84cf4aac1e063394be3be68fea3cb9526e567c0aeaaf39b4834411970c00921e
https://www.virustotal.com/gui/file/750a3e2ab2941705672cbeb6ec4d265e7ed79f21a18371de0c960a873b8cbbfd
https://www.virustotal.com/gui/file/77366b3b2dc016fea0f8461a1cb06e089b9186059a73d67e6ba28d088c06431d
https://thehackernews.com/2025/10/hackers-abuse-blockchain-smart.html
https://etherscan.io/address/0xde569B825877c47fE637913eCE5216C644dE081F
https://etherscan.io/tx/0xac165115069ea91503c29af14322cf84cbd39133bb59a447c2aa704999cd334f

Related CVE's:

Related threat actors:

IOC's:

14emeliaterracewestroxburyma02132[.]su, 93.95.112[.]59, pawsatyou[.]eth, 0xde569B825877c47fE637913eCE5216C644dE081F, 0x93141715

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page