Kimwolf is a massive botnet first disclosed by QI-ANXIN XLab in December 2025, primarily targeting
Android devices—especially TV boxes—with an estimated 1.8+ million active infected devices across
222 countries and regions worldwide. The botnet is highly versatile, featuring DDoS attacks, traffic proxying, reverse shells, and file management capabilities. In one recorded instance, it issued a staggering 1.7 billion DDoS commands over just a few days, with a potential peak attack capacity approaching 30 Tbps. The moment Kimwolf shot to fame came in October 2025, when one of its C2 domains briefly outranked tech behemoths like Google and Apple, claiming the number one spot on Cloudflare's global popularity chart.

Kimwolf conceals its C2 domain resolution using DNS over TLS (DoT) and employs elliptic curve digital
signatures (ECDSA) for robust C2 server authentication, ensuring bots only accept commands from
legitimate sources. After repeated infrastructure takedowns by security researchers and third parties,
its operators adopted the EtherHiding technique, leveraging blockchain-based domains such as
Ethereum Name Service (ENS) to significantly boost C2 resilience against disruption. Additionally, technical analysis reveals extensive code and infrastructure overlap between Kimwolf and the notorious Aisuru botnet — holder of the world record for largest DDoS attack — strongly indicating that both are controlled by the same threat actor group.

This presentation details the full story of the analysis and ongoing battle against the Kimwolf botnet.
We will dive into the technical specifics, share behind-the-scenes insights and provide the first detailed public breakdown of its infection and propagation chain.