The Silent Army in Living Rooms: Inside the AISURU / Kimwolf Android Botnet

Aegiron 11 mins0

Overview – What this incident is really about

AISURU (also known historically as Aisuru or Aisuru.DDoS) and Kimwolf represent a large, long-running criminal botnet operation that has quietly grown by infecting insecure consumer devices, most notably unofficial Android TV streaming boxes. These are low-cost devices often sold online, frequently used for IPTV or sideloaded streaming apps, and almost never properly secured or updated.

By early 2026, this operation had reached massive scale, with control over well above two million devices globally. The infected devices were primarily used for:

  • large-scale DDoS attacks
  • residential proxy services (selling real home IP addresses to criminals)
  • infrastructure abuse and traffic laundering

On January 14, 2026, coordinated defensive action by network operators and security researchers resulted in over 550 command-and-control servers being null-routed, severely disrupting the botnet’s ability to issue commands. While this did not disinfect devices, it temporarily cut off centralized control and monetization.

What happened

  1. Long-term silent growth
    The operators spent months, possibly years, quietly infecting Android TV boxes and other IoT-style devices. Because these devices are always on and rarely monitored, infections often went unnoticed.
  2. Monetization phase
    Once enough devices were infected, the operators shifted focus to:
    • selling proxy access to other criminals
    • offering DDoS-for-hire services
    • reselling bandwidth through underground markets
  3. Operational peak
    Telemetry showed billions of bot commands issued in short timeframes, suggesting heavy automation and industrial-scale usage.
  4. Disruption on Jan 14, 2026
    Security teams identified and blackholed hundreds of C2 servers. This prevented bots from receiving new instructions and caused widespread command failures across the botnet.

How the infection actually happens

There was no single zero-day vulnerability. Instead, the attackers relied on systemic weaknesses common in cheap Android devices:

Primary infection vectors

  • Exposed Android Debug Bridge (ADB)
    Many Android TV boxes ship with ADB enabled over TCP (commonly port 5555). Attackers scanned the internet and residential proxy networks for open ADB ports and pushed malicious payloads directly.
  • Poorly secured firmware
    Devices often run outdated Android builds with:
    • no SELinux enforcement
    • weak permissions
    • unsigned or easily sideloaded APKs
  • Sideloaded apps and unofficial app stores
    Users frequently install third-party IPTV or streaming apps, which increases the risk of trojanized installers or bundled loaders.
  • Abuse of residential proxy networks
    The attackers used existing proxy services to reach devices that would otherwise be inaccessible, creating a feedback loop where infected devices help infect more devices.

Malware architecture and payload behavior

Core components

The Kimwolf Android malware is lightweight but highly capable. It typically consists of:

  • a loader component (APK or native binary)
  • a persistent background service
  • a command execution engine
  • a proxy and DDoS module

Capabilities

Once installed, the malware can:

  • execute arbitrary shell commands
  • download and run additional binaries
  • act as a SOCKS or TCP proxy
  • generate multiple types of DDoS traffic
  • read and write files on the device
  • open reverse shells back to the operator

Persistence

Persistence is achieved through:

  • auto-start services
  • abuse of accessibility or background execution privileges
  • watchdog processes that restart the malware if killed

Command-and-Control (C2) design

The C2 design shows clear planning and maturity.

Communication

  • Encrypted using TLS
  • DNS queries often routed over DNS-over-TLS (DoT)
  • Custom binary protocol layered on top of TLS

Authentication

  • Commands are signed using elliptic curve cryptography
  • Bots verify signatures before executing commands
  • Prevents hijacking by third parties

Resilience

  • Multiple hardcoded domains
  • Encrypted fallback domains stored in the binary
  • Use of blockchain-based name resolution (ENS) in some versions
  • Rapid C2 rotation

DDoS capabilities

The botnet supports multiple attack methods, including but not limited to:

  • UDP floods
  • TCP SYN floods
  • TCP ACK floods
  • HTTP/TCP connection exhaustion
  • Amplification-style floods when possible

Because the devices are on residential networks, traffic appears highly distributed and difficult to filter using traditional IP-based methods.

Impacted industries and organizations

Internet Service Providers (ISPs)

  • Massive outbound traffic from consumer IP ranges
  • Abuse complaints and peering pressure
  • Increased operational cost for mitigation

Cloud providers and web services

  • Intermittent outages
  • Forced emergency DDoS mitigation
  • Increased reliance on scrubbing centers

End users

  • Slower internet connections
  • Devices overheating or crashing
  • Increased data usage
  • Silent participation in criminal activity

Underground criminal ecosystem

  • Proxy services enabled fraud, credential stuffing, and evasion
  • DDoS services used for extortion and disruption

Indicators of Compromise (IOCs)

Known domains (examples observed)

14emeliaterracewestroxburyma02132[.]su
proxy-sdk.14emeliaterracewestroxburyma02132[.]su
sdk-bright.14emeliaterracewestroxburyma02132[.]su
node-gateway[.]su
api-node-gw[.]su

Network indicators

  • Persistent outbound TLS connections to unknown domains over port 443
  • Repeating heartbeat traffic every 30–120 seconds
  • Devices acting as proxies without user configuration
  • High-volume outbound UDP traffic from Android-based devices

File and process indicators

Common binary and string patterns observed:

niggabox v4
niggabox v5
kw_service
kw_loader
libkw.so
/tmp/.kw
/data/local/tmp/kwd

Example file hashes

2078af54891b32ea0b1d1bf08b552fe8
b91c4f8d7b1a0cfe63baf91d87a44c02
f2b9a4a8c12c61e3e0c5b02b3d2b8f71

Detection guidance

Network-level detection

  • Alert on Android devices initiating long-lived TLS sessions to unknown domains
  • Detect SOCKS-like traffic patterns from residential IPs
  • Flag abnormal outbound UDP floods from consumer devices
  • Monitor for DNS-over-TLS usage from devices that normally do not use it

Endpoint-level detection (Android)

  • Presence of unknown background services
  • Unexpected binaries in /data/local/tmp/ or /system/bin/
  • ADB enabled over network without user awareness
  • Excessive CPU or network usage while device is idle

ISP / SOC detections

  • Multiple customers generating similar outbound traffic patterns
  • Repeated connection attempts to blackholed C2 ranges
  • Residential IPs acting as intermediate hops in attack chains

Anti-malware and why it often fails here

Traditional mobile antivirus tools are rarely installed on Android TV boxes. Even when present:

  • many boxes run unsupported Android versions
  • signatures lag behind rapidly changing malware
  • users cannot easily inspect or manage system processes

This makes network-based detection and prevention far more effective than endpoint tools for this threat.

Why the takedown did not “solve” the problem

Null-routing C2 servers disrupts command flow, but:

  • infected devices remain infected
  • operators can rebuild infrastructure
  • fallback domains may still work
  • devices will reconnect if new C2s appear

True remediation requires:

  • device replacement or reflashing
  • ISP-level intervention
  • manufacturer accountability
  • consumer awareness

Recommended remediation steps

For individuals

  • Disconnect and replace unofficial Android TV boxes
  • Disable ADB and developer options
  • Avoid sideloading unknown apps
  • Isolate smart devices on separate Wi-Fi networks

For organizations and ISPs

  • Block known C2 domains and IPs
  • Rate-limit abnormal outbound traffic
  • Notify customers of infected devices
  • Monitor residential proxy abuse patterns

Final takeaway

AISURU / Kimwolf is not a flashy one-day breach. It is a slow-burn, industrial-scale botnet operation built on weak consumer hardware, poor security hygiene, and a profitable underground market for proxy access and DDoS services.

The January 2026 disruption was significant, but not final. As long as insecure Android devices remain widely deployed, botnets like this will continue to re-emerge — quietly, cheaply, and at scale.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.