Kimwolf Android Botnet Infects Over 1.8 Million Devices, Powering Near Record DDoS Activity

A newly identified Android botnet known as Kimwolf has compromised more than 1.8 million devices worldwide, according to research published by Chinese cybersecurity firm XLab. The botnet has been linked to some of the largest distributed denial of service attacks observed in recent months, underscoring the growing role of consumer Android devices in large scale internet disruptions.

Botnet Identified at Unusual Scale

XLab researchers estimate that Kimwolf has infected over 1.8 million Android devices, making it one of the largest mobile botnets documented to date. The malware has been observed issuing more than 1.7 billion DDoS attack commands in a short window between November 19 and November 22, pointing to sustained and highly automated attack operations.

The scale of activity briefly pushed one of Kimwolf’s command and control domains to the top of Cloudflare’s global domain popularity rankings, surpassing even widely used platforms such as Google during peak attack periods.

Primary Focus on Traffic Proxying

Unlike many Android malware families that prioritize data theft or ad fraud, Kimwolf is primarily designed for traffic proxying. Infected devices are used as forwarding nodes, allowing operators to route large volumes of malicious or anonymized traffic through residential networks.

In addition to proxy functionality, the malware supports reverse shell access and file management capabilities, giving operators broad control over compromised devices.

Connection to Aisuru and Recent Mega DDoS Attacks

XLab researchers believe Kimwolf is closely linked to Aisuru, a TurboMirai-class IoT botnet recently associated with a record-breaking 29.7 terabits per second DDoS attack. While multiple recent attacks were initially attributed to Aisuru, XLab assesses that Kimwolf may have played a leading role in at least two of these large-scale incidents.

Based on observed attack behavior and comparisons with Aisuru, XLab estimates Kimwolf’s attack capacity to be close to 30 Tbps, although the exact bandwidth cannot be directly measured.

Targets and Global Distribution

Kimwolf predominantly infects Android TV set-top boxes deployed on residential networks. These devices are often continuously online and lightly monitored, making them well suited for sustained botnet operations.

The infected devices are distributed across more than 220 countries and regions. Due to dynamic IP address allocation and frequent device churn, researchers caution that the true size of the botnet may fluctuate and is difficult to determine precisely.

Stealth and Evasion Techniques

The malware uses the DNS over TLS protocol to encapsulate DNS requests, helping it evade detection by traditional network monitoring tools. Kimwolf also implements a signature verification mechanism to validate commands received from its control infrastructure, reducing the risk of interference or hijacking.

These techniques allow the botnet to operate with a relatively low profile on individual devices while remaining highly effective at scale.

Resilient Command Infrastructure

XLab reports that Kimwolf’s command and control domains have been taken down by third parties on at least three occasions. In response, the botnet’s operators hardened their infrastructure by adopting domains registered through the Ethereum Name Service, increasing resilience against traditional takedown efforts.

This evolution reflects a broader trend among botnet operators toward more decentralized and censorship-resistant infrastructure.

Code Clues and Monetization Links

Analysis of Kimwolf samples collected since October revealed links to the ByteConnect SDK, a monetization solution commonly used in proxy and traffic resale schemes. Researchers also discovered multiple references in the malware code to cybersecurity journalist Brian Krebs, left behind by the developer.

These artefacts provide rare insight into the botnet’s development lineage and its overlap with other large scale malicious ecosystems.

Implications for Internet Security

The emergence of Kimwolf highlights the increasing use of consumer Android devices as core components of high impact cyber attacks. As botnets shift toward mobile and embedded platforms, traditional assumptions about attack sources and mitigation strategies are being challenged.

Security researchers warn that defending against attacks of this nature will require closer coordination between device manufacturers, network operators, and infrastructure providers, alongside greater scrutiny of the rapidly expanding Android TV and IoT ecosystem.