- Kimwolf, an Android botnet with 1.8 million infected devices, is rapidly evolving using ENS for resiliency
- Its code and infrastructure overlap with AISURU, indicating that they both belong to the same threat group.
- AISURU remains one of the most destructive botnets, recently peaking at 29.7 Tbps in DDoS attacks.
Cybersecurity researchers have detected a major malicious botnet comprising nearly two million devices that is reportedly capable of conducting more than “simple” distributed denial of service (DDoS) attacks.
QiAnXin XLab published a new report on Kimwolf, an Android-based botnet that primarily targets TVs, set-top boxes, and tablets. At the moment, it infected approximately 1.8 million devices, mainly in Brazil, India, the United States, Argentina, South Africa and the Philippines.
It is still unknown how the devices are infected, but XLab found that the majority of victims are in residential network environments and belong to these brands: TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10.
Property of AISURU?
Researchers have been tracking Kimwolf for a while and found that the botnet has already been taken down several times, but has always come back stronger.
“We note that Kimwolf's C2 domains have been successfully deleted by unknown parties at least three times. [in December]forcing it to update its tactics and resort to using ENS (Ethereum Name Service) to reinforce its infrastructure, demonstrating its powerful evolutionary capacity,” said XLab researchers.
They also said that the botnet's source code and C2 infrastructure overlap significantly with that of AISURU, currently one of the most destructive botnets in existence.
“These two main botnets spread through the same infection scripts between September and November, coexisting on the same batch of devices,” the researchers explained. “They actually belong to the same hacker group.”
AISURU is a botnet that has made multiple headlines recently for breaking all kinds of DDoS records.
Earlier this month, Cloudflare released its Q3 2025 DDoS threat report, detailing an attack from “the pinnacle of botnets.” In the report, the CDN giant said that AISURU counted between one and four million infected devices, and that it mounted a DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).
Cloudflare described it as a “UDP bombing attack that bombards an average of 15,000 target ports per second.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
