Kimwolf & Aisuru Botnets: Shared Infrastructure and Beneficiaries of 2M+ Compromised Android TV Boxes

A destructive botnet named Kimwolf has infected over two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. The botnet forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for 'residential proxy' services. This proxy software is often quietly bundled with mobile apps and games, and Kimwolf specifically targeted versions factory-installed on more than a thousand different models of unsanctioned Android TV devices. The compromised proxies quickly begin funneling traffic linked to ad fraud, account takeover attempts, and mass content scraping. In December 2025, Chinese security firm XLab published a deep dive on Kimwolf, finding 'definitive evidence' that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the earlier Aisuru botnet. XLab had suspected since October that the two botnets shared authors and operators, based in part on shared code changes over time. The investigation digs through digital clues left behind to identify the hackers, network operators, and services that appear to have benefited from the botnets' spread.