Confirmed Hyper-Scale Botnet
Intelligence confirms the existence of a massive Android-based botnet named Kimwolf, which has infected over 1.8 million devices, primarily residential Android TV boxes, globally. The botnet is notable for its high-volume DDoS capabilities, having issued approximately 1.7 billion attack commands over a single three-day period in November 2025. Its infrastructure is highly resilient, utilizing advanced evasion techniques such as DNS-over-TLS (DoT) and blockchain-based domains via the Ethereum Name Service.
Technical Analysis and Capabilities
Kimwolf is compiled using the Android NDK and integrates diverse malicious functions including DDoS, proxy forwarding, reverse shells, and file management.
Targeting and Scale
The botnet targets Android TV boxes, set-top boxes, and tablets (e.g., SuperBOX, X96Q, SmartTV, MX10). Activity peaks observed in early December 2025 showed over 1.83 million active bots in a single day.
Infrastructure Resilience
Evasion: DNS requests are encapsulated using the DoT protocol on port 853 of public DNS providers like 8.8.8.8 or 1.1.1.1.
Blockchain Integration
Following multiple C2 takedowns, operators implemented "EtherHiding" technology, utilizing ENS domains to ensure C2 persistence.
Authentication
C2 communication is protected by elliptic curve digital signatures, meaning bots only accept commands verified by the operators.
Attribution
High-confidence evidence links Kimwolf to the Aisuru botnet group. Both families have been observed propagating via identical infection scripts and using the same unique signing certificates (SHA1: 182256bca46a5c02def26550a154561ec5b2b983).
Impact
Estimates suggest the botnet’s aggregate attack capability could reach up to 30 Tbps, with observed participation in major DDoS events in late 2025.
Indicators of Compromise (IOCs)
The botnet utilizes a wide array of rotating C2 domains and unique fingerprints.
Primary C2 Domain
14emeliaterracewestroxburyma02132.su
(Ranked #1 in Cloudflare Domain Rankings during peak activity).
V5 C2 Infrastructure
rtrdedge1.samsungcdn.cloud.
Malicious APK Packages
com.n2.systemservice0644, com.n2.systemservice063, com.n2.systemservice062.
Unique Binary Names
ji.so, libniggakernel, niggabox_v4, niggabox_v5.
Guidance for Network Defenders
Monitor DNS over TLS (DoT)
Alert on anomalous traffic to port 853 originating from IoT and Android devices on the network.
Block High-Risk TLDs
Monitor and potentially block requests to the .su top-level domain and unusual CDN-mimicking domains like samsungcdn.cloud.
Audit Android TV Devices
Inspect devices for unauthorized APK installations, specifically those requesting root via su or establishing persistent file sockets for single-instance execution.
Credential Hygiene
Ensure all residential IoT devices have default credentials changed and are not exposed directly to the internet via Universal Plug and Play (UPnP).
The operators have demonstrated extreme arrogance, mocking researchers with messages like "we have 100s of servers keep trying LOL" and targeting specific industry figures. Continued monitoring of ENS-based C2 infrastructure is recommended.
Removal and Remediation Steps
1. Identify and Uninstall Malicious APKs
The primary infection vector is a malicious Android application. Search for and immediately uninstall the following package names.
`com.n2.systemservice0644`
`com.n2.systemservice063`
`com.n2.systemservice062`
2. Delete Persistent Malicious Binaries
The malware extracts secondary binaries to the device's internal storage to maintain control. If you have ADB (Android Debug Bridge) or terminal access, locate and delete these files from the application data directory.
File Path
`/data/data/com.n2.systemservice0644/niggakernel`
Malicious Files
`libniggakernel`, `ji.so`, `libdevice.so`, `c0.so`, or `q8.so`
3. Audit and Revoke Root Access
The malware attempts to use the `su` command to obtain root privileges.
Open your SuperUser management app (e.g., Magisk).
Check for any unauthorized grants to "System Service" or the package names listed above.
Revoke all permissions and delete the associated logs.
4. Network-Level Blocking (C2 Infrastructure)
Block the following identified Command and Control (C2) infrastructure at your router or DNS level to prevent the bot from receiving instructions
Protocol
Block outbound traffic on port `853` (DNS-over-TLS) unless specifically required.
Domains
`14emeliaterracewestroxburyma02132.su`
`rtrdedge1.samsungcdn.cloud`
`pawsatyou.eth` (Ethereum Name Service/ENS domain)
5. Perform a Factory Reset
Because this botnet utilizes root access to gain deep system control, a full factory reset is the most reliable way to ensure all persistent scripts and modified system files are removed.
Preventive Measures
Disable ADB over Network
Ensure "ADB Debugging" is disabled in Developer Options when not in use.
Avoid Generic TV Boxes
Be cautious of unbranded or "fully loaded" Android TV boxes, as many are pre-infected with Aisuru/Kimwolf variants at the factory level.
Restrict Sideloading
Do not install third-party APKs from untrusted Indian or Algerian sources where early samples were first detected.
blog.xlab.qianxin.com
