A previously unknown malware campaign has silently compromised an estimated 1.8 million Android TV boxes across the globe, creating a colossal botnet that only revealed its immense scale when one of its control domains briefly became the most queried domain online, even surpassing industry giants like Google. This sudden surge in traffic alerted security researchers to a sophisticated operation that had been growing in the shadows. The botnet, now identified as Kimwolf, targets the often-overlooked security vulnerabilities in smart TV devices and set-top boxes, transforming them into a powerful network for conducting distributed denial-of-service (DDoS) attacks and selling illicit proxy services. The campaign’s global reach, spanning over 220 countries, underscores the significant risk posed by insecure Internet of Things (IoT) devices in homes worldwide. This incident serves as a stark reminder of how everyday consumer electronics can be weaponized on a massive scale without their owners’ knowledge, contributing to a vast and resilient criminal infrastructure.
1. Emergence and Scale of the Threat
The initial discovery of the Kimwolf botnet occurred in late October 2025, when security analysts investigated a novel Android malware sample. This sample was observed communicating with a command-and-control (C2) domain that, to the astonishment of the security community, rapidly climbed the global DNS rankings. This unusual activity was the first clear indicator of the campaign’s extraordinary size. The malware was named Kimwolf due to its internal use of the wolfSSL cryptographic library and specific references found within its code. Further investigation revealed that it was compiled using the Android Native Development Kit (NDK), a method that often complicates reverse engineering efforts. Its core functionalities were quickly identified, including the ability to launch powerful DDoS attacks, forward network traffic through compromised devices (acting as a proxy), establish a reverse shell for direct remote access, and manipulate the device’s file system, giving attackers near-total control over the infected hardware.
To gain deeper insight into the botnet’s operations, researchers executed a sinkholing operation in early December, successfully redirecting traffic from one of Kimwolf’s C2 domains associated with version five of the malware. This maneuver provided unprecedented visibility into the network’s scale. Over a brief three-day period from December 3 to 5, an astounding 2.7 million unique IP addresses attempted to connect to the sinkhole, with the number of active bots peaking at 1.83 million on December 4. Analysts conservatively estimate the true number of infected devices is well over 1.8 million, accounting for factors like IP address churn in residential networks and the limited visibility from sinkholing only a single C2 domain. The infections are not evenly distributed, with a disproportionate concentration of compromised devices located in Brazil, India, the United States, Argentina, South Africa, and the Philippines, indicating a global campaign that preys on a widespread and vulnerable class of consumer electronics.
2. Advanced Evasion and Monetization Tactics
Unlike many conventional Android malware threats, Kimwolf employs a suite of advanced and highly evasive techniques designed to ensure its longevity and resist takedown efforts by law enforcement and security teams. To conceal its C2 communications, the malware utilizes DNS-over-TLS (DoT), which encrypts DNS queries and prevents passive network monitoring from revealing the location of its control servers. Furthermore, it implements Elliptic Curve Digital Signature Algorithm (ECDSA) authentication, a strong cryptographic handshake that ensures bots only accept commands from legitimate C2 servers, preventing hijacking by third parties. In a particularly sophisticated move, the botnet operators have adopted Ethereum Name Service (ENS) domains via a technique called EtherHiding. By storing C2 IP addresses in decentralized blockchain records, they create an infrastructure that is extremely difficult to seize or block through traditional means. To complete its defensive posture, the malware uses stack-based XOR encryption to obfuscate critical strings, such as C2 domains and DNS resolver addresses, within its code.
While Kimwolf possesses formidable DDoS capabilities, analysis of its command traffic revealed a different primary objective. Over a three-day window in late November, the botnet was observed issuing an incredible 1.7 billion DDoS attack commands targeting a wide range of global IP addresses, seemingly at random. Although many of these individual attacks may not have had a significant impact, researchers believe this massive volume of commands was likely intended as a demonstration of power or an intimidation tactic. However, a closer look at the data showed that over 96% of all commands issued by the C2 servers were related to proxying network traffic. This strongly suggests that the operators’ primary monetization strategy involves reselling access to the vast global network of compromised Android TV boxes. This turns the 1.8 million infected devices into a massive residential proxy service, which can be sold to other cybercriminals for activities like ad fraud, credential stuffing, or anonymizing their own malicious traffic.
3. Uncovering the Botnet’s Origins
A thorough forensic analysis has traced Kimwolf’s lineage directly back to a previously known threat, the Aisuru botnet. The initial samples of Kimwolf appeared to be built upon reused Aisuru code, with several transitional APKs discovered that contained components from both malware families, indicating a clear evolutionary path. Researchers were able to connect the two by meticulously examining metadata and artifacts, including file upload timestamps, shared resource identifiers within the application packages, and matching digital certificate fingerprints. The consistency of these technical markers led to the high-confidence conclusion that Kimwolf was not an entirely new creation but rather a significant upgrade or rebranding effort conducted by the same threat actors responsible for the Aisuru botnet. This connection provides crucial context, suggesting the operators are experienced and have been refining their tools and techniques over a considerable period.
The hypothesis linking Kimwolf to Aisuru was further solidified on December 8, when analysts discovered a downloader script actively distributing both malware binaries from the same server infrastructure. This script served as a “smoking gun,” confirming the operational connection between the two botnets. The infrastructure hosted both Kimwolf and Aisuru payloads, which shared identical hardcoded digital certificates and communicated with some of the same C2 servers. This shared infrastructure and cryptographic material provided irrefutable evidence that the same group was managing both campaigns. The evolution from Aisuru to Kimwolf likely represents the threat actor’s efforts to incorporate more resilient features, such as the use of ENS domains and stronger encryption, in response to previous takedown efforts targeting their older infrastructure, demonstrating a clear pattern of adaptation and persistence.
4. Protecting Against Pervasive Vulnerabilities
The widespread compromise of Android TV boxes highlighted a critical weak point in the consumer electronics ecosystem. These devices, particularly those from lesser-known vendors or those running outdated firmware, proved to be a soft underbelly for the entire Android platform. A combination of factors, including a general lack of timely security updates, the common use of weak or unchanged default passwords, and poor code auditing practices by manufacturers, created a perfect environment for a long-term, large-scale compromise. This incident underscored the urgent need for greater security diligence from both manufacturers and consumers. In response, users were strongly recommended to purchase TV boxes only from reputable makers known for providing ongoing support. Furthermore, they were advised to avoid sideloading applications from untrusted sources, to immediately change any default administrative passwords upon setup, and to diligently perform any firmware updates as soon as they became available, as these often contained patches for critical vulnerabilities that botnets like Kimwolf exploited.
