A new “super botnet” Kimwolf reported by researchers
Security researchers at XLab reently disclosed Kimwolf, a newly identified Android-based botnet that has allegedly infected more than 1.8 million devices worldwide. According to XLab’s findings, the botnet has issued over 1.7 billion DDoS attack commands in just three days, making it one of the largest active botnets observed. Kimwolf primarily targets Android-powered TV boxes and smart devices and has demonstrated the ability to generate hypervolumetric DDoS traffic at multi-Tbps scale.
This article summarises key findings from XLab’s research for informational purposes. The data, and analysis presented are those of XLab and are not confirmed by FastNetMon at the time of writing this article.
Links to Aisuru and likely shared operators
XLab’s investigation uncovered strong technical and operational links between Kimwolf and the previously known Aisuru botnet. Shared infection scripts, overlapping infrastructure, reused certificates, and common tooling strongly suggest that both botnets are operated by the same threat actor group. Researchers believe Kimwolf represents a redesigned and more stealthy evolution of Aisuru, likely developed to evade detection after Aisuru samples became widely flagged by security products.
Technical overview of the Kimwolf botnet
The following technical details are based on XLab’s public analysis report.
Kimwolf is compiled using the Android NDK and primarily targets Android TV boxes, smart TVs, and similar consumer devices. While its architecture is relatively straightforward, it incorporates several advanced techniques that complicate detection and takedown efforts:
- Massive scale: Researchers observed up to 1.83 million active nodes in a single day, with cumulative infected IPs exceeding 3.6 million during C2 sinkholing.
- DDoS capability: Kimwolf supports multiple Mirai-style DDoS attack vectors and is assessed to be capable of attacks approaching 30 Tbps, based on observed real-world incidents.
- Stealthy communications: The botnet uses DNS over TLS (DoT) to hide C2 resolution and encrypts traffic using TLS, significantly reducing visibility for traditional network monitoring.
- Resilient C2 infrastructure: Kimwolf rapidly rotates C2 domains and has adopted Ethereum Name Service (ENS)–based EtherHiding to resist takedowns.
- Authentication mechanisms: C2 commands are protected using elliptic curve digital signatures, preventing easy takeover by defenders.
- Multi-purpose malware: Beyond DDoS, Kimwolf supports traffic proxying, reverse shell access, and file operations, with proxying accounting for the majority of observed commands.
Infected devices have been observed in 222 countries and regions, with the highest concentrations in Brazil, India, the United States, and Argentina. XLab notes that the true number of infected devices is likely higher due to dynamic IP addressing and partial visibility into Kimwolf’s infrastructure.
Hypervolumetric DDoS threats will keep growing in 2026
Kimwolf is another clear signal that hyper-scale DDoS botnets are no longer exceptional events. As attackers increasingly abuse poorly secured consumer devices—especially smart TVs and TV boxes—the internet continues to inherit systemic risk from mass-market hardware with weak security controls.
Looking ahead to 2026, we expect:
- Continued growth in number of multi-Tbps attacks
- Further growth in infection rates of the large botnets
- Greater use of stealth techniques and decentralised infrastructure to evade takedowns
In this environment, DDoS detection, inbound and outbound, is no longer optional function. It is a foundational requirement for service providers, networks, and critical internet infrastructure. Visibility, early detection, and automated mitigation will play an increasingly important role in keeping the internet stable as botnets like Kimwolf continue to evolve.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com.