Indicators of Compromise (IOCs)
C2 Domain
14emeliaterracewestroxburyma02132[.]su (Observed swamping DNS resolvers).
Network Artifacts
High volume of internal scanning traffic on port 5555 originating from a single mobile device or PC on the network.
Affected Hardware
Unofficial Android TV boxes (Superbox, etc.) and digital photo frames running the Uhale app.
Remediation & Mitigation
Hardware Audit & Removal The most effective remediation is the physical removal of vulnerable devices.
Action
Identify "fully loaded" or "jailbroken" Android TV boxes (often sold for piracy) and digital photo frames connected to your network.
If a device matches the profile of a "Superbox" or generic Android streaming box with "Overseas use only" labels, disconnect it immediately. These devices often lack the ability to disable ADB or update firmware securely.
Network Segmentation (Critical) Because the attack pivots from one device (phone/PC) to another (IoT), isolation is key.
Action:
Move all IoT devices (TVs, Fridges, Frames) to a Guest Network or a dedicated VLAN.
Why
Most consumer routers enable "Client Isolation" on Guest networks, preventing devices from talking to each other. This stops the proxy device from connecting to the TV box's ADB port.
Proxy Hygiene
Action
Audit mobile phones and PCs for "free" VPNs, proxy apps, or dubious games. These are often the entry point (the "proxy node").
Action
Use the tool provided by the security firm Synthient at synthient[.]com/check to see if your public IP is flagged as a Kimwolf node.
Advanced
Firewall Rules If you manage a firewall capable of outbound filtering:
Block outbound DNS requests to .su TLDs if not required.
Block TCP/5555 traffic between internal network segments.
But just don't do it; don't share your network bandwidths for the fear of wolves.
