A different kind of threat has been unfolding just outside the cybersecurity world’s focus. Kimwolf botnet The Kimwolf botnet has compromised an astounding 1.8 million devices, mainly focusing on Android-based TVs and set-top boxes. From this DDoS botnet we’ve seen the start of a new generation of massive attacks. Cybersecurity specialists and agencies across the globe were alarmed, particularly after detecting a dramatic spike in ransomware activity from November 19 through 22, 2025.
The Kimwolf botnet continues to find novel ways to extend its operational capabilities. Now it uses a giant network of hacked devices to carry out DDoS instructions more efficiently. An even more recent attack vector has newly focused on specific models of smart TVs, tablets, and set-top boxes. In fact, these devices are the backbone of residential networks. Whether through legal action or journalistic inquiry, investigations are uncovering new links. The links between Kimwolf and the AISURU botnet indicate a concerted effort to exploit vulnerabilities across a wider array of devices.
Scope of the Infections
The infected devices encompass even popular models, such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10. In fact, infections are 95% concentrated in just five countries. If measured by significant hotspots, that list would extend to Brazil, India, the US, Argentina, South Africa and the Philippines. This universal impact reveals just how fragile consumer electronics are. Attackers can more easily exploit these devices, including those that are inherently less secure than desktop or laptop computers.
Cybersecurity firm XLab began investigating Kimwolf after receiving a “version 4” artifact from a trusted partner on October 24, 2025. Those findings brought a shocking truth to light. Within a mere span of three days, the botnet sent out almost 1.7 billion DDoS attack commands, emphasizing its vast and destructive might.
Technical Features and Capabilities
The technical underpinnings of Kimwolf is what will really knock your socks off. The botnet uses TLS encryption for all of its network communications, making it very difficult to track the botnet’s operation. It defends against 13 distinct DDoS attack vectors over UDP, TCP, and ICMP protocols. Previous iterations of this malware have exposed an interesting new method known as EtherHiding. This technique smartly leverages an ENS domain, “pawsatyou[.]eth,” to obscure the actual command and control (C2) IP address by fetching it from an associated smart contract.
The threat posed by large-scale botnets is changing quickly. Today, they’re especially focused on smart TVs and other connected devices.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability.” – XLab researchers
The emergence of Kimwolf comes on the heels of a well-chronicled historical arc featuring the era of mega botnets. XLab noted:
Historical Context and Comparisons
These insights indicate that as technology advances, so do the tactics used by cybercriminals. This laser focus on Android-based devices has become a greater warning signal as everyday consumer electronics are increasingly vulnerable to complex attacks.
“Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras.”
However, the landscape has shifted in recent years.
“Information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes.” – XLab
These observations suggest that as technology evolves, so too do the strategies employed by cybercriminals. The focus on Android-based devices signifies a broader trend where everyday consumer electronics fall prey to sophisticated attacks.