Kimwolf botnet’s swift rise to 2M infected devices agitates security researchers
The Kimwolf botnet, which splintered off from the record-setting Aisuru DDoS botnet in August, gained the widespread attention of security researchers when it temporarily claimed the top spot in Cloudflare’s global domain rankings in late October 2025.
Within weeks it spread like a wildfire, eventually taking over more than 2 million unofficial Android TV devices, according to Synthient, after its operators figured out how to abuse residential proxy networks for local control.
“That is an untapped population of bots that they were able to access that nobody else was able to access from a botnet perspective,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop.
Formosa, who has been monitoring the rise of Aisuru for more than a year, said the seizure of Rapper Bot paired with the arrest of its alleged leader in August paved the way for Aisuru and Kimwolf, which are run by some of the same cybercriminals, to gain full strength.
Behind the scenes, Lumen, along with industry partners, had gathered enough evidence on Kimwolf’s backend to spring into action, by null-routing or dropping packets originating from the botnet’s command and control (C2) infrastructure.
Since early October, Lumen has blocked more than 550 C2s or IP addresses linked to Aisuru and Kimwolf’s servers, said Ryan English, information security engineer at Black Lotus Labs.
Lumen’s efforts caught the ire of Kimwolf’s operators, who responded by loading a profane greeting to the global network operator in a DDoS payload. This type of provocation, which Kimwolf’s operators have often leaned into, is a clear sign the group is financially motivated and not supported by a nation-state, according to Formosa.
Kimwolf’s DDoS attacks are generally deployed in short bursts of one-to-two minutes, but some attacks have extended for hours, Formosa said.
“Primarily, it seems like Minecraft is one of their favorites. Almost every day you can see Minecraft servers constantly getting blown up,” he added.
Technical research published by XLab, Synthient and Lumen demonstrates how the botnet’s operators have quickly spun up and abandoned infrastructure or shifted tactics to evade detection and remain operational. Researchers are hopeful Kimwolf has already reached its maximum potential, yet the botnet’s operators could still exploit another proxy service and take over a new assortment of devices.
Kimwolf hasn’t targeted critical infrastructure thus far, but it has the potential to cause severe damage if it were used for that purpose. Meanwhile, the malicious traffic the botnet controls isn’t harmless — DDoS attacks can spread beyond intended targets by causing downtime, congesting data and affecting unrelated services and operations.
In September, just as Kimwolf was forming, the Aisuru botnet achieved a record-breaking 29.7 terabits-per-second DDoS attack that lasted 69 seconds, according to Cloudflare.
“This is one of those really dangerous things that you see lying around that you just can’t leave lying around, and hope that nobody with really bad intentions decides to pick it up and use it,” English said.
DDoS attacks aren’t the most captivating form of cybercrime, but they still work and they are growing exponentially in size, he added. “That’s the thing about defense in cybersecurity. You’ve got to let them know that somebody is going to try to stop them.”
