- Kimwolf, an Android botnet with 1.8 million infected devices, is rapidly evolving using ENS for resilience
- Its code and infrastructure overlap with AISURU, indicating both belong to the same threat group
- AISURU remains one of the most destructive botnets, recently peaking at 29.7 Tbps in DDoS attacks
Cybersecurity researchers have spotted a mjor malicious botnet comprising almost two million devices which is reportedly capable of more than “just” Distributed Denial of Service (DDoS) attacks.
QiAnXin XLab published a new report on Kimwolf, an Android-based botnet that primarily targets TVs, set-top boxes, and tablets. At the moment, it infected roughly 1.8 million devices, mostly in Brazil, India, the U.S., Argentina, South Africa, and the Philippines.
How the devices get infected is still unknown, but XLab found the majority of the victims are in residential network environments, and belong to these brands: TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10.
Owned by AISURU?
The researchers have been tracking Kimwolf for a little while now and found that the botnet was taken down multiple times already but has always returned stronger.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.
They also said that the botnet’s source code and C2 infrastructure overlaps significantly with that of AISURU, currently one of the most destructive botnets in existence.
“These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices,” the researchers explained. “They actually belong to the same hacker group.”
AISURU is a botnet that’s made multiple headlines recently for breaking all sorts of DDoS records.
Earlier this month, Cloudflare released its 2025 Q3 DDoS threat report, detailing an attack by “the apex of botnets”. In the report, the CDN giant said AISURU counts anywhere between one and four million infected devices, and that it mounted a DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).
Cloudflare described it as a “UDP carpet-bombing attack bombarding an average of 15K destination ports per second”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment