The Wolf Among TVs: 1.8 Million-Strong Kimwolf Botnet Surpasses Google Traffic to Rule the IoT

Chinese cybersecurity firm QiAnXin has released a report detailing a newly identified distributed denial-of-service botnet dubbed Kimwolf, which has already compromised at least 1.8 million devices worldwide. The infections primarily affect Android-based smart TVs, set-top boxes, and tablets.

Kimwolf is compiled using the native development kit (NDK) and goes beyond conventional DDoS capabilities. In addition to launching large-scale denial-of-service attacks, it incorporates proxy forwarding, reverse shell access, and file management features. As a result, attackers can not only conscript devices as bots but also leverage them for broader offensive operations.

QiAnXin estimates that between November 19 and 22, 2025, this massive botnet issued as many as 1.7 billion DDoS commands. The sheer volume of activity propelled its command-and-control domain—14emeliaterracewestroxburyma02132[.]su—to the top of Cloudflare’s DNS rankings, surpassing even Google Search during that period. The botnet primarily targets Android TVs and set-top boxes in home environments, with affected models including TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTB, MX10, and others.

Infections have been observed across the globe, with particularly high concentrations in Brazil, India, the United States, Argentina, South Africa, and the Philippines. QiAnXin has not yet determined how the initial malware was distributed to these devices.

Notably, Kimwolf’s command-and-control domains were successfully taken offline at least three times in December by unidentified parties—possibly rival actors or independent security researchers. This disruption forced the botnet’s operators to shift tactics and adopt the Ethereum Name Service (ENS) to harden their infrastructure against further takedowns.

The Kimwolf botnet is also linked to the notorious AISURU botnet. Investigators found that attackers reused AISURU code during the early stages of development before creating Kimwolf as a more evasive successor. QiAnXin suspects that some DDoS campaigns previously attributed to AISURU may have involved Kimwolf, or were even orchestrated primarily by it.

Users of Android smart TVs and set-top boxes are advised to check whether their devices still use default passwords and to change them immediately if so. If unusual behavior is detected, a full device reset may be warranted.

Firmware or system updates should be applied promptly whenever available. However, many such devices receive little to no update support after release, making long-term remediation difficult even when vulnerabilities are identified.

Related Posts:

• North Korean APT’s Stealth Attack on Open-Source Ecosystems
• QiAnXin Uncovers New Kimsuky Malware Campaign
• Smart TV is easily hacked: someone watching you while watching TV
• Windows 11 Surpasses Windows 10 as Dominant PC Gaming Platform