Executive Summary

The Kimwolf botnet represents a critical and rapidly evolving threat to enterprise and consumer networks worldwide. This Android-based malware ecosystem has infected over 1.8 million devices, with a focus on Android TV boxes, digital photo frames, and other IoT devices that are often shipped with weak security controls or pre-installed malicious software. Kimwolf leverages residential proxy networks to bypass traditional perimeter defenses, enabling attackers to launch high-volume DDoS attacks, monetize proxy bandwidth, and conduct lateral movement within local networks. The botnet’s resilience is enhanced by its use of DNS-over-TLS, blockchain-based command and control (C2) via Ethereum Name Service (ENS), and rapid re-infection capabilities. Organizations and individuals must act swiftly to identify, isolate, and remediate infected devices to prevent exploitation, data exfiltration, and participation in criminal infrastructure.

Threat Actor Profile

The operators behind Kimwolf are a technically advanced cybercriminal group with a history of botnet development, previously linked to the Aisuru botnet. Their operations are characterized by rapid adaptation to takedowns, sophisticated monetization strategies, and a focus on stealth and persistence. The group exploits the global supply chain of low-cost Android devices, particularly those distributed via third-party sellers on platforms such as Amazon, BestBuy, Newegg, and Walmart. Their infrastructure is distributed and resilient, utilizing TLS-encrypted C2 channels, elliptic curve digital signatures for authentication, and blockchain-based domain resolution to evade traditional domain takedown efforts. The group’s primary revenue streams include residential proxy bandwidth resale, ad fraud, and DDoS-for-hire services.

Technical Analysis of Malware/TTPs

Kimwolf is a modular malware platform targeting Android-based devices, primarily distributed as APKs and ELF binaries. Infection vectors include pre-installed malware on new devices, malicious applications from unofficial app stores, and exploitation of devices with Android Debug Bridge (ADB) enabled by default on TCP port 5555. Once installed, Kimwolf establishes persistence, disables security controls, and connects to C2 infrastructure using DNS-over-TLS to evade detection.

The malware’s core capabilities include launching up to 13 different DDoS attack types, establishing reverse shells for remote control, managing files, and, most critically, proxying network traffic through infected devices. This proxy functionality is monetized via integration with the ByteConnect SDK and custom Rust-based proxy clients, allowing attackers to resell bandwidth to third-party proxy services such as IPIDEA. The botnet’s C2 infrastructure is highly dynamic, with domains such as 14emeliaterracewestroxburyma02132[.]su, rtrdedge1.samsungcdn[.]cloud, and ENS domains like pawsatyou[.]eth used to maintain operational continuity.

Kimwolf also demonstrates advanced lateral movement capabilities, scanning local networks for additional vulnerable devices, including routers and IoT endpoints. It can manipulate DNS settings on local routers, redirecting traffic to attacker-controlled servers for further exploitation or surveillance. The malware’s resilience is underscored by its ability to rapidly rebuild its botnet population following takedowns, leveraging residential proxy pools to re-infect millions of devices within days.

Key technical indicators include suspicious processes such as netd_services and tv_helper, Unix domain sockets named @niggaboxv[number], and outbound connections to known C2 domains and downloader IPs in the 93.95.112.50 to 93.95.112.59 range (AS397923 - Resi Rack L.L.C.). The malware is frequently found on device models including TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX (Android-based), SmartTV, and MX10.

Exploitation in the Wild

Kimwolf has been observed participating in some of the largest DDoS attacks recorded to date, with volumes reaching up to 30 Tbps and 2.9 Gpps, as reported by Cloudflare in late 2025. The botnet’s proxy capabilities are exploited for ad fraud, account takeovers, and large-scale web scraping, with 96.5% of bot commands related to proxying traffic. Attackers have demonstrated the ability to move laterally within local networks, compromising additional devices and altering router DNS settings to facilitate further attacks or data interception.

The botnet’s monetization strategy is highly effective, with estimated monthly revenues exceeding $88,000 from proxy bandwidth resale alone. The use of blockchain-based ENS domains for C2 communication has enabled the group to maintain operational continuity despite repeated takedown efforts. Infections have been confirmed in over 222 countries and regions, with the highest concentrations in Brazil, India, the United States, Argentina, South Africa, the Philippines, Mexico, China, Thailand, Saudi Arabia, Indonesia, Morocco, Turkey, Iraq, and Pakistan.

Victimology and Targeting

Kimwolf primarily targets home users and small office/home office (SOHO) environments, exploiting the widespread use of inexpensive Android-based devices with poor security hygiene. The most affected sectors include residential networks, small businesses, and any organization utilizing Android TV boxes, digital photo frames, or similar devices sourced from unvetted third-party vendors. The botnet’s global reach is facilitated by the international distribution of these devices, often with malware pre-installed at the factory or during supply chain transit.

While the majority of infections are concentrated in emerging markets with high adoption rates of low-cost Android devices, significant numbers have also been detected in North America and Europe. The indiscriminate nature of the botnet’s propagation means that any organization or individual with vulnerable devices is at risk, regardless of geographic location or sector.

Mitigation and Countermeasures

Immediate action is required to mitigate the threat posed by Kimwolf. Organizations should conduct a comprehensive inventory of all Android-based devices within their networks, with particular attention to TV boxes, digital photo frames, and other IoT endpoints. Devices with ADB enabled by default should be isolated and, where possible, have ADB disabled. Only devices from reputable vendors with a proven track record of security updates should be deployed.

Network monitoring solutions should be configured to detect and alert on outbound connections to known Kimwolf C2 domains and downloader IPs. Security teams should monitor for the presence of suspicious processes such as netd_services and tv_helper, as well as Unix domain sockets named @niggaboxv[number]. Tools such as Synthient’s Kimwolf checker can be used to determine if a public IP address is participating in the botnet.

Firmware updates should be applied to all affected devices, and any device found to be infected should be immediately removed from the network and subjected to a full factory reset or secure re-imaging. Network segmentation, such as the use of VLANs or guest networks, can help contain the spread of infection and limit lateral movement. Organizations should also educate users about the risks of purchasing devices from untrusted sources and the dangers of sideloading applications from unofficial app stores.

For advanced detection, security teams should implement behavioral analytics to identify anomalous proxy traffic and DDoS activity originating from internal devices. Collaboration with ISPs and upstream providers may be necessary to block malicious traffic at the network edge.

References

• Krebs on Security: The Kimwolf Botnet is Stalking Your Local Network

• Qianxin XLab: Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices

• SecurityWeek: 'Kimwolf' Android Botnet Ensnares 1.8 Million Devices

• Cloudflare DDoS Reports Q3 2025

• Synthient Threat Intelligence

• MITRE ATT&CK

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to identify, assess, and mitigate cyber risks across their extended supply chains. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to empower security teams with actionable insights and proactive defense strategies. For questions about this report or to learn more about how Rescana can help secure your organization, contact us at ops@rescana.com.