The Kimwolf botnet is one of the largest recently found Android-based threats, contaminating over 1.8 million devices mostly Android TV boxes and IoT devices globally. Named after its reliance on the wolfSSL library, this malware appeared in late October 2025 when XLab researchers noticed a suspicious C2 domain rising to the top, surpassing Google on Cloudflare charts. Operators evolved the botnet from the Aisuru family, enhancing evasion tactics to build a massive proxy and DDoS army.
Kimwolf propagates through residential proxy services, taking advantage of misconfigured services like PYPROXY to access on home networks and attack devices with open Android Debug Bridge (ADB) ports. Once executed, it drops payloads such as the ByteConnect SDK via pre-packaged malicious apps or direct downloads, which converts victims into proxy nodes that can be rented on underground markets. The malware has 13 DDoS techniques under UDP, TCP, and ICMP while 96.5% of commands are related to traffic proxying for ad fraud, scraping, and account takeovers.
Capabilities extend to reverse shells for remote control, file management, and lateral movement within networks by altering DNS settings. To dodge takedowns, it employs DNS over TLS (DoT), elliptic curve signatures for C2 authentication, and EtherHiding via Ethereum Name Service (ENS) blockchain domains. Between November 19-22, 2025, it issued 1.7 billion DDoS commands; researchers estimate its peak capacity at 30 Tbps, fueling attacks on U.S., Chinese, and European targets.
Infections span 222 countries, led by Brazil (14.63%), India (12.71%), and the U.S. (9.58%), hitting uncertified TV boxes that lack updates and Google protections. Black Lotus Labs null-routed over 550 C2 nodes since October 2025, slashing active bots from peaks of 1.83 million to 200,000, while linking it to proxy sales on Discord by Resi Rack affiliates. Operators retaliated with taunting DDoS floods referencing journalist Brian Krebs.
Security teams urge focusing on smart TV vulnerabilities like firmware flaws and weak passwords, pushing for intelligence sharing to dismantle such botnets.Users should disable ADB, update firmware, avoid sideloading, and monitor networks for anomalies. As consumer IoT grows, Kimwolf underscores the risks of turning homes into cyber weapons, demanding vendor accountability and robust defenses.