Full Report
A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab. "Kimwolf is a botnet compiled using the NDK [Native Development Kit]," the company said in a report
Analysis Summary
# Tool/Technique: Kimwolf Botnet
## Overview
Kimwolf is a large-scale Distributed Denial-of-Service (DDoS) botnet that primarily targets and infects Internet of Things (IoT) devices running Android, specifically Android-based TVs, set-top boxes, and tablets. It is suspected to be associated with, or a successor to, the AISURU botnet, possibly sharing infrastructure or code due to similarities in methods and co-infection observed on the same devices. Its main purpose is to launch massive DDoS attacks.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Android IoT devices (TVs, set-top boxes, tablets). Specific affected models mentioned include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10.
- Capabilities: DDoS attacks, proxy forwarding, reverse shell, and file management functions.
- First Seen: Investigation commenced upon receiving a "version 4" artifact on October 24, 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are derived from the observed capabilities (DDoS, C2 communication, file management).*
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (For C2 communication leveraging typical ports/protocols, implied by DDoS)
- **TA0012 - Execution**
- **T1204 - User Execution** (Implied initialization mechanism/infection vector)
- **TA0008 - Lateral Movement**
- **T1090 - Proxy**
- T1090.002 - External Proxy (Explicitly listed capability: proxy forwarding)
- **TA0003 - Persistence**
- (Implied by botnet operation ensuring only one instance runs)
## Functionality
### Core Capabilities
- **DDoS Attacks:** Primary function, capable of issuing a high volume of attack commands (estimated 1.7 billion commands over three days in November 2025).
- **Single Instance Enforcement:** Ensures only one instance of the bot process runs on the infected device.
- **C2 Communication:** Decrypts the embedded C2 domain, uses DNS-over-TLS to resolve the IP address, and connects to receive commands.
### Advanced Features
- **Evolutionary Capability:** Forced to upgrade tactics multiple times due to C2 domain takedowns by unknown parties in December 2025.
- **ENS Integration (EtherHiding):** Recent versions use Ethereum Name Service (ENS) domains (e.g., `pawsatyou[.]eth`) to fetch the actual C2 IP via associated smart contracts, hardening infrastructure against domain blacklisting.
- **Resource Management:** Includes file management functions.
- **Remote Access:** Includes a reverse shell capability.
- **Network Pivoting:** Includes proxy forwarding capabilities.
## Indicators of Compromise
- File Hashes: (Not provided in the text)
- File Names: (Not provided in the text)
- Registry Keys: (Not provided in the text)
- Network Indicators:
- C2 Domain (Observed): `14emeliaterracewestroxburyma02132[.]su`
- Downloader Server IP (Observed): `93.95.112[.]59`
- ENS Domain (Observed): `pawsatyou[.]eth`
- Behavioral Indicators:
- Use of DNS-over-TLS for C2 resolution.
- Coexistence on devices with AISURU infection scripts (sharing infection scripts between September and November).
- Use of code signing certificate: "John Dinglebert Dinglenut VIII VanSack Smith".
## Associated Threat Actors
- The hacker group responsible for the AISURU botnet is suspected to be the same group operating Kimwolf.
## Detection Methods
- Signature-based detection: Based on APK packages uploaded to VirusTotal sharing attributes or code structure with AISURU.
- Behavioral detection: Monitoring for the specific C2 communication sequence (decrypt C2 domain -> DNS-over-TLS -> connect).
- YARA rules (Not provided in the text, but applicable for detecting compilation via NDK or specific code segments).
## Mitigation Strategies
- **Patching/Segmentation:** The propagation method is unclear, but targeting Android IoT devices suggests vulnerability exploitation or weak credential usage on network-facing devices. Network segmentation of IoT devices is recommended.
- **C2 Resilience:** Monitoring for devices using ENS lookups to fetch external IP addresses.
- **Infrastructure Hardening:** Enforcement of takedown procedures against C2 infrastructure (implied by observed C2 domain takedowns).
## Related Tools/Techniques
- **AISURU:** Directly associated botnet; suspected to share origins, code, and potentially infrastructure or operator group.
- **Android NDK:** Compilation method used for the botnet binary.