"The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains - 14emeliaterracewestroxburyma02132[.]su - came first in Cloudflare's list of top 100 domains, briefly even surpassing Google."
"Kimwolf is a botnet compiled using the NDK [Native Development Kit],"
"In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions."
"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,"
Kimwolf has enlisted at least 1.8 million infected Android-based TVs, set-top boxes, and tablets across multiple countries, including Brazil, India, the U.S., Argentina, South Africa, and the Philippines. The botnet is compiled with the NDK and combines DDoS capabilities with proxy forwarding, reverse shell, and file management functions. It issued an estimated 1.7 billion DDoS commands over a three-day span in November 2025. One of its C2 domains briefly topped Cloudflare's list. C2 domains were taken down multiple times, prompting migration to ENS to harden infrastructure. The exact propagation method to devices remains unclear.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]