Massive new botnet hijacks almost 2 million Android devices and briefly surpasses Google

Published: 17 December 2025
Last updated: 18 December 2025
masive new botnet Kimwolf

A massive new botnet, Kimwolf, briefly surpassed Google on the top websites chart. With 1.8 million Android devices and counting, a botnet of such scale is capable of launching unseen cyberattacks, researchers warn.

On October 30th, a strange website named 14emeliaterracewestroxburyma02132[.]su surpassed Google as the most popular global website, according to Cloudflare data.

It turned out to be a command-and-control (C2) server orchestrating the malicious activity involving millions of IP addresses.

ADVERTISEMENT
top-websites

Subsequent investigation by Xlab has unveiled “the most insane in history” botnet. Researchers dubbed it Kimwolf.

The botnet already matches or even surpasses Aisuru, the largest known botnet so far, which had been breaking DDoS (distributed denial-of-service) records one after another. And they actually share part of the same codebase.

The researchers successfully infiltrated and preemptively registered one of the C2 domains to gain insight into the inner workings of this massive botnet. In a period of three days, Xlab observed 2.7 different source IP addresses. On December 4th, the botnet had 1.83 million active IP addresses on a single day.

Xlab estimates the size of the botnet to be conservatively around 1.8 million Android devices, as residential IP addresses change over time, making accurate measurements impossible.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“A botnet of such scale possesses the capability to launch massive cyberattacks, and its potential destructive power cannot be ignored,” the researchers warn.

What do we know about the new botnet?

ADVERTISEMENT

The botnet primarily consists of infected television boxes deployed in residential networks. It primarily targets Android devices, such as set-top boxes or tablets, that are likely not certified by Google and therefore lack Google Play protection.

A sample of its software, obtained by Xlab researchers, revealed that Kimwolf is capable of numerous malicious activities. Together with typical DDoS attack capabilities, it integrates proxy forwarding, enabling attackers to conceal their actual location and bypass any IP-based geo-restrictions or blacklists.

The Cybernews community is talking about this. Be a part of the conversation.

The malware includes a reverse shell, giving attackers command-line access to infected devices. This allows them to run arbitrary commands or deploy any additional malware on the compromised bots.

Additional file management functions enable uploading, downloading, and otherwise modifying files between the devices.

Has my data been leaked?
Check Now

Spin up of Aisuru?

“We surprisingly found that Kimwolf is actually associated with the Aisuru botnet. Kimwolf relies on an APK file to load and start it during runtime,” the report reads.

“We speculate that in the early stages of this campaign, the attackers directly reused Aisuru's code.”

ADVERTISEMENT

However, Aisuru has high detection rates in security products, which likely prompted the threat actor to redesign its stealth and detection evasion capabilities. Kimwolf utilizes encryption and has recently introduced “EtherHiding technology,” which leverages blockchain to conceal or dynamically retrieve malicious infrastructure information.

“Kimwolf uses multiple C2 infrastructures. We took over only a portion of the C2s, so we could only observe the activity of some bots, unable to cover the full picture of the botnet,” the researchers acknowledged.

This botnet never sleeps – infected devices are distributed widely across multiple time zones in 222 countries. Around 14% of IPs were from Brazil, while India contributed 12.71%, the US 9.58%, Argentina 7.19%, South Africa 3.85%, the Philippines 3.58%, Mexico 3.07%, and China 3.04%.

kimwolf-geo
Image by Xlab (qianxin.com).

“Although we cannot directly measure it, through observations of two large-scale DDoS events and a horizontal comparison with Aisuru, we believe Kimwolf's attack capability is close to 30Tbps.”

The current DDoS record holder, the Aisuru botnet, has achieved the largest throughput of 29.7 Tbps in a single attack, according to Cloudflare. Xlab researchers, after reviewing the data, confirmed Kimwolf’s participation.

“We believe that behind many attacks observed by Cloudflare attributed to Aisuru, it may not just be the Aisuru botnet acting alone. Kimwolf may also be participating, or they may even be led by Kimwolf,” said Xlab researchers, who were investigating both botnets.

“These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices. They actually belong to the same hacker group.”

Despite participating in DDoS attacks, 96.5% of the commands issued to the Kimwolf botnet were related to the provision of proxy services.

requests-botnet
Image by Xlab (qianxin.com).
ADVERTISEMENT

Obsessive fixation on Brian Krebs

The Kimwolf operator appears to be vengeful. It even counterattacked Xlab researchers with a DDoS attack during which the cybercriminals embedded offensive messages targeting Chinese people.

During a retaliatory DDoS attack, the malware operators embedded offensive messages targeting Chinese users and researchers, reflecting hostility and intent to intimidate. Other samples included hardcoded racial slurs, political views calling Kim Jong-un the supreme leader, jokes, mocking security journalist Brian Krebs, and others.

“Kimwolf often includes various ridicule, provocation, and even extortion information in DDoS payloads,” Xlab notes.

“Investigations found that the author of Kimwolf shows an almost ‘obsessive’ fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.”

kimwolf-des
Image by Xlab (qianxin.com).

Even the domain the researchers took over included Krebs’s name. Cybercriminals had previously attempted to target the journalist’s blog with a massive DDoS attack, but it was unsuccessful.

Takedown action underway

Xlab’s takeover of the attackers’ C2 server seemingly triggered “a chain reaction” of subsequent ISP-level interventions. Other third parties disposed of the infrastructure and stopped resolving DNS queries.

The operator was forced to urgently upgrade the C2 infrastructure, resulting in a sharp drop in active daily bots to around 200,000.

ADVERTISEMENT

However, on December 12th, Kimwolf upgraded the infrastructure again and arrogantly declared, “We have 100s of servers keep trying LOL!”

Xlab researchers urge manufacturers to improve security on Android TV devices across the entire supply chain. Users should avoid uncertified, low-cost, off-brand Android devices, set strong passwords, apply timely firmware updates, and refrain from downloading applications of unknown origins.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT