top of page
perceptive_background_267k.jpg

Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers

Published:

14 January 2026 at 19:03:00

Alert date:

14 January 2026 at 20:01:57

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Network Infrastructure

Black Lotus Labs at Lumen Technologies successfully null-routed traffic to over 550 command-and-control nodes associated with the AISURU/Kimwolf botnet since October 2025. AISURU and its Android counterpart Kimwolf have emerged as some of the largest botnets in recent times, capable of directing infected devices to participate in distributed denial-of-service attacks. The botnet infrastructure has infected over 2 million devices according to the article title reference. This represents a significant takedown operation against a major botnet threat that was actively compromising millions of devices globally.

Technical details

Black Lotus Labs null-routed traffic to over 550 command-and-control nodes associated with AISURU/Kimwolf botnets since October 2025. The botnets infect devices through ByteConnect SDK and target Android TV streaming devices with exposed Android Debug Bridge services. The malware turns compromised devices into residential proxy nodes for DDoS attacks and proxy services. Kimwolf expanded to infect over 2 million Android devices by tunneling through residential proxy networks. The botnet exploits security flaws in proxy services to interact with devices on internal networks and propagate through ADB-enabled devices on local networks.

Mitigation steps:

Monitor for connections to identified command and control domains and IP addresses. Disable Android Debug Bridge (ADB) on Android devices when not needed. Monitor for suspicious SSH connections and residential proxy traffic patterns. Block traffic to identified malicious domains and IP addresses. Implement network segmentation to prevent lateral movement through compromised devices.

Affected products:

Android TV streaming devices
Android devices with exposed ADB service
KeeneticOS routers
PYPROXY services

Related links:

https://www.linkedin.com/pulse/keeping-kimwolf-bay-putting-leash-massive-ddos-botnet-t1pyc/
https://spur.us/what-is-a-residential-proxy/
https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html
https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html
https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/
https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/
https://chawkr.com/threat-intel/keenetic-proxy-botnet-analysis

Related CVE's:

Related threat actors:

IOC's:

65.108.5[.]46, 194.46.59[.]169, proxy-sdk.14emeliaterracewestroxburyma02132[.]su, greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su, 104.171.170[.]21, 104.171.170[.]201, 176.65.149[.]19:25565

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page