1 / 11

Kimwolf/Aisuru Botnet: By The Numbers

Key metrics from August 2025 - January 2026

2.1M+
Infected Devices
222 countries affected
31.4 Tbps
Peak Attack Volume
World record (Jan 2026)
12M
Weekly Unique IPs
Dynamic allocation
1.7B
DDoS Commands
In just 72 hours
14.1 Bpps
Peak Packet Rate
Billion packets/sec
2,867
Aisuru Attacks (2025)
Mitigated by Cloudflare

Key Findings

67% of infections are Android TV boxes
C2 domain surpassed Google in rankings
Many devices sold pre-infected from factory
Exploits residential proxy services
Uses blockchain (ENS) to resist takedowns
Proxy bandwidth sold for $0.20/GB

Data: XLab, Synthient, Cloudflare, KrebsOnSecurity, Black Lotus Labs

2 / 11

Botnet Growth: 1K to 2.1M Devices in 6 Months

Cumulative infected devices from August 2025 to January 2026

Source: XLab, Synthient, Cloudflare

3 / 11

The DDoS Arms Race: Record-Breaking Attacks

Peak attack throughput in Terabits per second (Tbps)

Source: Cloudflare Q3 2025 DDoS Report

4 / 11

Global Infection Distribution

~2.1 million infected devices across 222 countries

Source: XLab, Synthient Research

5 / 11

Hyper-Volumetric Attacks: 227% QoQ Growth

Cloudflare-mitigated attacks exceeding 1 Tbps by quarter

36.2M
Total Attacks (2025)
+227%
QoQ Growth
2,867
Aisuru Attacks

*Q4 projected | Source: Cloudflare DDoS Threat Reports

6 / 11

Attack Vectors: UDP Floods Dominate

Network-layer attack distribution (Q3 2025)

Key Insight: UDP floods surged 231% QoQ, driven by Aisuru/Kimwolf carpet-bombing attacks

Source: Cloudflare Q3 2025 DDoS Threat Report

7 / 11

The Botnet Army: 67% Android TV Boxes

Breakdown of 2.1M+ compromised devices by type

1,000+
Device Models
67%
Unauthenticated ADB
Pre-infected
Many Sold This Way

Source: Synthient, XLab Research

8 / 11

Weekly Activity: 12M Unique IPs

Weekly unique IP addresses vs. new device infections

Note: Dynamic IP allocation means 12M weekly IPs ≈ 2M actual devices. Dec 27 drop due to IPIDEA patch.

Source: Synthient Research Team

9 / 11

Target Industries: Telecom & Gaming Lead

Attack distribution by industry sector (Q3 2025)

Collateral Damage: Aisuru traffic caused "widespread Internet disruption" in the US even when ISPs weren't targeted.

Source: Cloudflare, KrebsOnSecurity

10 / 11

Top 10 Countries by Infected Devices

Estimated device counts based on ~2.1 million total infections

Top 3 Combined: Brazil, India, and USA account for ~37% of infections (~774K devices)

Source: XLab C2 takeover analysis, Synthient

11 / 11

Timeline: 6 Months of Escalation

From discovery to world-record attacks to disruption efforts

Attack
Defense
Discovery
Milestone
Aug 1, 2025 Discovery
Aisuru variant discovered
Sep 2, 2025 Attack
11.5 Tbps attack - First major record
Sep 23, 2025 Attack
22.2 Tbps attack - Double previous record
Oct 24, 2025 Discovery
Kimwolf identified by XLab researchers
Nov 1, 2025 Milestone
C2 domain surpasses Google in Cloudflare rankings
Nov 19-22, 2025 Attack
1.7 billion DDoS commands issued in 72 hours
Dec 1, 2025 Defense
XLab executes C2 domain takeover
Dec 4, 2025 Milestone
Peak observed: 1.83M daily active bots
Dec 9, 2025 Attack
29.7 Tbps world record attack
Dec 27, 2025 Defense
IPIDEA patches critical vulnerability
Jan 5, 2026 Attack
31.4 Tbps - New all-time record
Jan 15, 2026 Defense
Black Lotus Labs null-routes 550+ C2 servers

Source: XLab, Synthient, Cloudflare, KrebsOnSecurity, Black Lotus Labs