Kimwolf Exposed: The Android Botnet with 1.8M Infected Devices
4 months ago
- #Botnet
- #Cybersecurity
- #Android
- Kimwolf is a massive Android botnet with over 1.8 million infected devices, primarily targeting Android TV boxes.
- The botnet uses DNS over TLS (DoT) and elliptic curve digital signatures for C2 communication to evade detection.
- Kimwolf's infrastructure includes multiple C2 domains, some of which have been taken down multiple times, leading to the adoption of Ethereum Name Service (ENS) for resilience.
- The botnet is capable of launching DDoS attacks, with observed attack capabilities nearing 30Tbps.
- Kimwolf is linked to the Aisuru botnet, sharing code and infrastructure, indicating they are operated by the same group.
- Infected devices are globally distributed, with the highest concentrations in Brazil, India, and the USA.
- Kimwolf's operators use Rust-based Command Clients and ByteConnect SDK for monetization, earning significant revenue from compromised devices.
- The botnet's author has a notable fixation on cybersecurity journalist Brian Krebs, embedding references and taunts in the malware.
- Kimwolf's evolution includes adopting EtherHiding to harden its infrastructure against takedowns.