1.8 million Android-based TVs, set-top boxes, and tablets are compromised by the Kimwolf botnet.

An estimated 1.7 billion DDoS attack commands were issued by the hyper-scale botnet. Brazil, India, the United States, Argentina, South Africa, and the Philippines have higher concentrations of infections than other countries. Before choosing to create the Kimwolfbotnet in order to avoid detection, it is believed that the attackers initially reused code from AISURU.

Recent versions of the botnet malware detected as recently as December 12, 2025, have introduced a technique known as EtherHiding. that makes use of an ENS domain ("pawsatyou[.[. ]59") that contained a script referencing APKs for both Kimwolf and AISurU.

The malware in itself is fairly straightforward. Once launched, it ensures that only one instance of the process runs on the compromised gadget. Thirteen DDoS attack techniques are used by Kimwolf malware via TCP, ICMP, and UDP.

According to XLab, the attack targets are in the United States, China, France, Germany, and Canada. Using the bot nodes to provide proxy services is the subject of more than 96% of the commands. This shows that the attackers are trying to maximize their profits by taking advantage of the bandwidth from compromised devices.

A ByteConnect software development kit (SDK), a monetization solution that enables app developers, is also sent to the nodes via the downloader script. Owners of IoT devices can profit from their traffic. According to XLab, "Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras." However, data on several million-level giants in recent years The disclosure of botnets such as Badbox, Bigpanzi, Vo1d, and Kimwolf suggests that some attackers have begun focusing on different TV boxes and smart TVs.