Kimwolf is a sophisticated distributed denial-of-service (DDoS) botnet identified by QiAnXin XLab that has infected at least 1.8 million Android-based smart TVs, set-top boxes, and tablets worldwide. The botnet is compiled using the Android Native Development Kit (NDK), allowing it to run efficiently on ARM-based devices. It integrates multiple functionalities beyond DDoS attacks, including proxy forwarding, reverse shell access, and file management, enabling attackers to control infected devices comprehensively. Kimwolf’s command-and-control (C2) infrastructure employs advanced evasion techniques such as DNS-over-TLS for encrypted DNS queries and the use of Ethereum Name Service (ENS) domains to fetch C2 IP addresses via smart contracts, complicating takedown efforts. The botnet supports 13 different DDoS attack methods over UDP, TCP, and ICMP protocols, enabling versatile attack vectors. It has issued approximately 1.7 billion DDoS commands over a three-day period in late 2025, indicating high operational tempo and scale. Kimwolf is linked to the AISURU botnet, sharing infection scripts and even code signing certificates, suggesting a shared threat actor or collaboration. The primary infection targets are residential TV boxes, including models like TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. While the exact infection vector remains unknown, the botnet’s global distribution includes significant concentrations in Brazil, India, the US, Argentina, South Africa, and the Philippines. European countries such as France and Germany have been targeted by DDoS attacks launched by Kimwolf. The botnet also monetizes infected devices by deploying a Rust-based Command Client module and ByteConnect SDK to provide proxy services, exploiting device bandwidth for profit. The botnet’s infrastructure has shown resilience, surviving multiple C2 domain takedowns by switching to blockchain-based ENS domains. This evolution highlights the increasing sophistication of IoT-targeting botnets and their ability to evade traditional mitigation strategies. The threat poses risks not only through direct DDoS attacks but also by enabling proxy abuse and potential further exploitation of compromised devices.

European organizations face significant risks from Kimwolf’s large-scale DDoS capabilities, which can disrupt critical online services, degrade network performance, and cause financial and reputational damage. The botnet’s ability to launch attacks against targets in France and Germany indicates direct threats to European infrastructure and enterprises. Additionally, the exploitation of residential smart TVs and set-top boxes as proxy nodes can facilitate anonymized malicious activities, complicating attribution and increasing the risk of secondary attacks such as fraud or data exfiltration. The widespread infection of consumer IoT devices in European households can indirectly impact enterprise networks through shared ISPs and interconnected services. The botnet’s resilience and use of blockchain-based C2 infrastructure hinder takedown efforts, prolonging the threat’s operational lifespan. Given the growing adoption of smart TVs and IoT devices in Europe, the potential scale of infection and subsequent attacks could escalate, affecting sectors reliant on stable internet connectivity, including finance, healthcare, and government services. The threat also underscores the vulnerability of IoT ecosystems in Europe, where device security is often insufficient, increasing exposure to botnet recruitment and exploitation.

1. Collaborate with ISPs and device manufacturers to identify and patch vulnerabilities in Android-based smart TVs and set-top boxes, prioritizing firmware updates that close infection vectors. 2. Implement network-level monitoring to detect unusual outbound traffic patterns consistent with DDoS command-and-control communications or proxy service abuse, using behavioral analytics and anomaly detection. 3. Deploy DNS filtering and inspection to block access to known malicious C2 domains and ENS-based blockchain lookups associated with Kimwolf. 4. Encourage end-users to secure their home networks by changing default device credentials, disabling unnecessary services, and segmenting IoT devices from critical business networks. 5. Utilize threat intelligence sharing platforms to stay updated on emerging indicators of compromise (IOCs) and attack patterns related to Kimwolf and AISURU botnets. 6. Employ rate limiting and DDoS mitigation services at network edges to absorb or block volumetric attacks originating from botnet nodes. 7. Support law enforcement and cybersecurity researchers in takedown efforts targeting botnet infrastructure, including blockchain-based C2 components. 8. Promote awareness campaigns for consumers on the risks of insecure IoT devices and the importance of timely updates and secure configurations. 9. Investigate and deploy endpoint detection and response (EDR) solutions capable of identifying native code malware on Android-based devices where feasible. 10. Encourage manufacturers to adopt secure development lifecycle practices and integrate hardware-based security features in IoT devices to prevent future botnet recruitment.