MalwareUsed by 3 actors

Kimwolf

KimWolf is a large Android- and IoT-focused DDoS botnet and DDoS-for-hire platform, widely described as a variant or Android variant of Aisuru/AISURU and in some reporting as Mirai-derived. It emerged in late 2025 and primarily targets Android TV boxes, streaming devices, set-top boxes, webcams, digital photo frames, and other internet-connected devices, especially systems with exposed Android Debug Bridge (ADB) services and devices reachable through abused residential proxy networks. Multiple sources in the content state that KimWolf infected more than 1 million devices worldwide, with several researchers estimating roughly 1.8 to over 2 million compromised Android devices and about 12 million unique IP addresses observed weekly.

Its documented capabilities include volumetric DDoS attack execution, proxy forwarding/SOCKS proxy functionality, reverse shell access, and file management. Reporting in the content also states that samples were compiled with the Android NDK, used DNS over TLS to conceal communications, authenticated C2 instructions with elliptic-curve digital signatures, encrypted sensitive data with a simple stack XOR method, and in newer versions incorporated EtherHiding via blockchain domains for resilience. KimWolf has been linked to residential proxy abuse and internal-network probing; Infoblox specifically noted it as an example of poorly designed proxy-enabled malware that could probe internal networks. The botnet was also linked by Synthient to the IPIDEA proxy network, and other reporting tied its monetization or infrastructure to residential proxy ecosystems.

Operationally, KimWolf was run as a cybercrime-as-a-service or subscription DDoS-for-hire platform that rented access to compromised devices to other criminals. Authorities stated it was used in more than 25,000 attacks worldwide, including attacks against Department of Defense Information Network (DoDIN) IP space, with some attacks reported at nearly 30 Tbps and up to 31.4 Tbps. Some victim organizations reportedly suffered losses exceeding $1 million. The botnet has been associated with rapid rebuilding of its control plane after disruption pressure and with broad global spread across 200+ countries in some reporting.

The malware has been associated with Jacob Butler, aka "Dort," who was arrested by Canadian authorities at the request of the United States in 2026 for allegedly developing or operating KimWolf. Law-enforcement actions in March 2026 disrupted infrastructure associated with KimWolf alongside Aisuru, JackSkid, and Mossad, and additional seizures targeted DDoS-for-hire services linked to the broader ecosystem.

High-confidence infrastructure and indicators mentioned in the content include the ENS domain pawsatyou[.]eth, the previously used domain 14emeliaterracewestroxburyma02132[.]su, downloader IPs 93[.]95[.]112[.]50-59 associated with Resi Rack LLC, and references to the account resi[.]to. The malware has also been observed on off-brand Android TV hardware marketed under names such as TV BOX, SuperBox, XBOX, and SmartTV.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Aisuru-Kimwolf

Another variant, KimWolf, targets Android systems, including mobile phones and Smart TVs.

via hackreadhackread.com

Snow

"The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0"

via krebs on securitykrebsonsecurity.com

Dort

via krebs on securitykrebsonsecurity.com

MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1584.005BotnetEvidence9

Под контроль операторов попадали Android-приставки, стриминговые устройства, веб-камеры, цифровые фоторамки и другая IoT-техника... Владельцы ботнета продавали доступ к зараженным устройствам другим злоумышленникам по модели cybercrime-as-a-service.

T1584.008Network DevicesEvidence1

The KimWolf botnet was made up of devices that were typically behind firewalls, including digital photo frames and web cameras... infiltrating home networks through compromised devices — including streaming TV boxes and other IoT devices.

Initial Access

3 techniques

T1133External Remote ServicesEvidence2

Prime targets included Android TVs and streaming devices with exposed Android Debug Bridge (ADB) services.

T1190Exploit Public-Facing ApplicationEvidence2

Synthient, a cybersecurity firm that tracked the malware network, identified rapid growth in KimWolf’s operations earlier this year after attackers exploited vulnerabilities in residential proxy networks to compromise Android devices.

T1195Supply Chain CompromiseEvidence2

Bigpanzi (est. 2015, Chinese origin) deploys Pandoraspear backdoor + Pcdn P2P CDN via backdoored firmware and pirated media APKs.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

Kimwolf/Aisuru Tactic Technique ID Application Execution Command-Line Interface T1059 ADB shell commands

Persistence

1 technique

T1133External Remote ServicesEvidence2

Prime targets included Android TVs and streaming devices with exposed Android Debug Bridge (ADB) services.

Discovery

2 techniques

T1046Network Service DiscoveryEvidence1

If this is misused, it could enable scanning, lateral movement, and other malicious activity.

T1083File and Directory DiscoveryEvidence1

The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions.

Lateral Movement

2 techniques

T1021Remote ServicesEvidence1

Kimwolf leviää pääasiassa laitteisiin, joissa on puutteelliset suojausasetukset tai avoinna olevia etähallintatoimintoja.

T1210Exploitation of Remote ServicesEvidence1

Kimwolf представлял собой вариант ботнета Aisuru и в основном заражал Android-устройства с открытым Android Debug Bridge (ADB).

Command and Control

9 techniques

T1001Data ObfuscationEvidence1

It encrypts sensitive data with a simple Stack XOR... Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.

T1071Application Layer ProtocolEvidence7

In March 2026, authorities in the United States, Germany, and Canada seized command-and-control systems linked to KimWolf and three related botnets identified as Aisuru, JackSkid, and Mossad.

T1071.004DNSEvidence1

It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures.

T1090ProxyEvidence2

В первом квартале аналитики Synthient нашли связь нашумевшего ботнета Kimwolf с прокси-сетью IPIDEA. Затем эта сеть была ликвидирована при участии GTIG.

T1090.001Internal ProxyEvidence1

A proxy inside a private network allows both inbound internet traffic and access to internal systems.

T1090.003Multi-hop ProxyEvidence1

Kimwolf botnet has compromised more than 2 million Android devices, spreading primarily via residential proxy networks... Its primary function is traffic proxying, though it can execute massive DDoS attacks.

T1102.002Bidirectional CommunicationEvidence1

Kimwolf/Aisuru Tactic Technique ID Application C2 Web Service T1102.002 Ethereum ENS (pawsatyou[.]eth)

T1219Remote Access ToolsEvidence1

The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions.

T1573Encrypted ChannelEvidence1

Kimwolf/Aisuru Tactic Technique ID Application Defense Evasion Encrypted Channel T1573 DNS-over-TLS, ECDSA auth

Impact

2 techniques

T1498Network Denial of ServiceEvidence11

Kimwolf — DDoS-платформой, которую сдавали в аренду «по подписке» другим хакерам... ботнет использовался для проведения более чем 25 000 атак по всему миру... пиковая мощность отдельных атак достигала 31,4 Тбит/с.

T1499Endpoint Denial of ServiceEvidence1

The infected systems were then rented to other cybercriminals, or forced to participate in record-smashing DDoS attacks, as well as assaults that affected Internet address ranges for the Department of Defense .

Other

1 technique

T1562Impair DefensesEvidence1

Within weeks, the botnet scaled to hundreds of thousands of bots, sustaining massive DDoS capacity while actively evading suppression.

INDICATORS OF COMPROMISE

IOCs tracked for this family

25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

19 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app14 days ago

domain●●●●●●●●●●●●View more in app2 months ago

ip.v4●●●●●●●●●●●●View more in app2 months ago

hash.sha1●●●●●●●●●●●●View more in app2 months ago

domain●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

133 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

133 SOURCESView more in app

infoblox threat intel blogNews

Jun 9, 2026

Examining residential proxies in Infoblox customer networks

Kimwolf is described as a botnet tied to residential proxy activity and internal network probing. The report highlights its presence in enterprise environments and notes that it could route or facilitate attacks against internal IP space through compromised or enrolled devices.

xakepNews

May 27, 2026

В Канаде арестован оператор ботнета Kimwolf - Хакер

DDoS-ботнет и cybercrime-as-a-service платформа, заразившая почти 2 млн Android- и IoT-устройств. Использовалась для проведения более 25 000 DDoS-атак по всему миру, с пиковой мощностью отдельных атак до 31,4 Тбит/с.

cyber security newsNews

May 22, 2026

Canadian Man Arrested for Running KimWolf DDoS Botnet Service that Hacked 2 Million Devices

An IoT DDoS-for-hire botnet allegedly used to compromise consumer and small-office devices such as digital photo frames and webcams, enroll them into a distributed attack infrastructure, and launch high-volume distributed denial-of-service attacks worldwide.

security affairsNews

May 22, 2026

Authorities arrest 23-year-old accused of running the Kimwolf botnet

A newly discovered Android/IoT botnet used as a DDoS-for-hire service. It primarily targets Android TV boxes and supports DDoS attacks, traffic proxying, reverse shell access, and file management. The malware uses Stack XOR to encrypt sensitive data, DNS over TLS to conceal communications, elliptic curve digital signatures to authenticate C2 commands, and newer versions incorporate EtherHiding via blockchain domains to resist takedowns.

+116 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching25

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.