Massive Android botnet Kimwolf infects millions, strikes with DDoS
Sunday, December 21, 2025
What
The Kimwolf Android botnet, identified by its standout C2 domain, has rapidly gained traction, infecting millions of devices and executing extensive DDoS attacks. Utilizing the wolfSSL library, it features advanced capabilities such as traffic proxying and encryption of sensitive data. The botnet's resilience is bolstered by its use of blockchain domains and covert communication techniques, posing significant challenges for detection and mitigation efforts.
Where
The botnet has a global reach, with infected devices reported in 222 countries, including significant concentrations in Brazil, India, and the USA.
When
The botnet was first identified in October 2025, with notable DDoS activity observed between November 19 and December 9, 2025.
Key Factors
- •Utilizes wolfSSL library for secure communications
- •Employs DNS over TLS and elliptic curve digital signatures for command authentication
- •Incorporates EtherHiding for resilience against takedowns
Takeaways
- →Organizations must prioritize the security of IoT devices, particularly smart TVs and TV boxes, which are often vulnerable.
- →The rapid evolution of malware like Kimwolf underscores the need for continuous threat intelligence sharing.
- →Proactive measures are essential to mitigate the risks posed by large-scale botnets.
Opens original article on Security Affairs
