A massive new DDoS botnet has already snared 1.8 million devices - here's what we know about Kimwolf

1. Pro
2. Security

A massive new DDoS botnet has already snared 1.8 million devices - here's what we know about Kimwolf News By Sead Fadilpašić published 18 December 2025

Researchers discovered a new botnet called Kimwolf

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Kimwolf, an Android botnet with 1.8 million infected devices, is rapidly evolving using ENS for resilience
• Its code and infrastructure overlap with AISURU, indicating both belong to the same threat group
• AISURU remains one of the most destructive botnets, recently peaking at 29.7 Tbps in DDoS attacks

Cybersecurity researchers have spotted a mjor malicious botnet comprising almost two million devices which is reportedly capable of more than “just” Distributed Denial of Service (DDoS) attacks.

QiAnXin XLab published a new report on Kimwolf, an Android-based botnet that primarily targets TVs, set-top boxes, and tablets. At the moment, it infected roughly 1.8 million devices, mostly in Brazil, India, the U.S., Argentina, South Africa, and the Philippines.

How the devices get infected is still unknown, but XLab found the majority of the victims are in residential network environments, and belong to these brands: TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10.

You may like

• This DDoS group just smashed the previous record with a 29.7 Tbps attack
• This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
• This dangerous new botnet is shooting off attacks across the world faster than can be tracked - here's what we know about RondoDox

Owned by AISURU?

The researchers have been tracking Kimwolf for a little while now and found that the botnet was taken down multiple times already but has always returned stronger.

"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability," XLab researchers said.

They also said that the botnet’s source code and C2 infrastructure overlaps significantly with that of AISURU, currently one of the most destructive botnets in existence.

"These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices," the researchers explained. "They actually belong to the same hacker group."

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

AISURU is a botnet that’s made multiple headlines recently for breaking all sorts of DDoS records.

Earlier this month, Cloudflare released its 2025 Q3 DDoS threat report, detailing an attack by “the apex of botnets”. In the report, the CDN giant said AISURU counts anywhere between one and four million infected devices, and that it mounted a DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).

Cloudflare described it as a “UDP carpet-bombing attack bombarding an average of 15K destination ports per second”.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more This devious botnet tried a trial run during the recent AWS outage - so when will it be back?    This dangerous new botnet is shooting off attacks across the world faster than can be tracked - here's what we know about RondoDox    Watch out, these malicious Android apps have been downloaded 42 million times - and could leave you seriously out of pocket    Microsoft says Azure was hit with a massive DDoS attack launched from over 500,000 IP addresses    This infamous ransomware has returned, and it's more dangerous than ever    When AI malware meets DDoS: a new challenge for online resilience    Latest in Security Auto giant LKQ says it's the latest firm to be hit by Oracle EBS data breach    Having Windows app issues? Microsoft is making businesses reach out directly to get a fix    CISA reveals warning on Asus software flaw, here's what you need to do to stay safe    AI-generated code contains more bugs and errors than human output    Cisco says Chinese hackers are exploiting its customers with a new zero-day    It's about time! Microsoft finally kills off encryption cipher blamed for multiple cyberattacks - RC4 bites the dust at last    Latest in News Bethesda reportedly held a secret Starfield event to showcase an upcoming update that will add faster loading times and technical improvements to the Creation Engine, along with a PS5 port that will be announced in 2026    Amazon's Fallout characters are coming to Call of Duty: Black Ops 7 and Warzone Season 01 Reloaded    The RAM crisis may lead to much better game optimization, and that's great    New data shows that only 1.6 million units of video game hardware were sold in the US in November, making it the worst month since 1995    ExpressVPN rolls out major Qt update to boost speed and unify desktop apps    It's not just RAM getting more expensive - the tools to make chips are set to explode in cost too, experts warn    LATEST ARTICLES

1. 1Oracle has one last Ampere hurrah - new cloud platforms offer up to 192 custom Arm cores, and aren't OCI exclusive, unlike Graviton or Cobalt
2. 2Apple Music app in ChatGPT
3. 3It's about time! Microsoft finally kills off encryption cipher blamed for multiple cyberattacks - RC4 bites the dust at last
4. 4This new ‘smallest’ subwoofer packs deep bass into a 10-inch cube
5. 5It's not just RAM getting more expensive - the tools to make chips are set to explode in cost too, experts warn