Kimwolf Timeline

Late 2022: Original BadBox Discovered

The first BadBox botnet is identified after researchers discover approximately 74,000 off-brand Android TV devices infected with backdoor malware. The devices were compromised prior to purchase through supply chain attacks.^[1]

2022: Aisuru Team Forms

According to anonymous sources who later came forward, three individuals codenamed "Snow," "Tom," and "Forky" form the Aisuru team after several successful collaborations, including work on the CatDDoS botnet.^[2]

2023: BadBox Formally Identified

Security researchers formally identify and name the BadBox malware, which primarily consists of Android devices compromised with backdoor malware prior to purchase.^[3]

August 2024: Aisuru Botnet First Disclosed

QiAnXin XLab first discloses the Aisuru botnet, which participates in DDoS attacks against the distribution platform for the video game "Black Myth: Wukong."^[2]

March 2025: BadBox 2.0 Identified

HUMAN Security's Satori Threat Intelligence team publishes analysis identifying BadBox 2.0, confirming over 1 million consumer devices have become infected. The infected devices are Android Open Source Project devices manufactured in China and shipped globally, with infections observed in 222 countries.^[4]

Late April 2025: Aisuru's Enemies Begin Leaking Information

Due to the Aisuru group's poor reputation in the DDoS community, rivals begin leaking details on social media. Under a Cloudflare post about mitigating a record 5.8 Tbps attack, someone replies: "This came from 340k Totolink routers!" Further leaks include a screenshot of the botnet panel showing over 300,000 active bots.^[2]

May 12, 2025: Record DDoS Attack on KrebsOnSecurity

KrebsOnSecurity, protected by Google Shield, is targeted with a massive DDoS attack attributed to the Aisuru botnet. The attack is characterized as a "test run" or demonstration of capability.^[5]

Mid-May 2025: 7.3 Tbps Attack Blocked

Cloudflare blocks a 7.3 Tbps DDoS attack targeting a hosting provider. The attack lasted only 45 seconds but delivered 37.4 terabytes of traffic - the equivalent of over 9,000 HD movies.^[6]

July 11, 2025: Google Files Lawsuit Against BadBox 2.0 Operators

Google files a "John Doe" lawsuit in New York federal court (Google LLC v. Does 1-25) against 25 unidentified defendants in China accused of operating BadBox 2.0. Google describes it as a botnet of over 10 million unsanctioned Android streaming devices engaged in advertising fraud. The court grants a preliminary injunction allowing Google to disrupt the botnet's infrastructure.^[7]

Mid-September 2025: Multi-Terabit Gaming Attacks Begin

Aisuru launches a series of multi-terabit strikes targeting networks serving popular online gaming communities, including Minecraft servers, Steam, and Riot games. These attacks appear to be warm-up runs for larger assaults.^[9]

September 16, 2025: XLab Publishes Deep Aisuru Analysis

QiAnXin XLab publishes "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU," detailing the botnet's structure, the three key figures (Snow, Tom, Forky), and how an anonymous source provided intelligence hoping to dismantle Aisuru similarly to the Fodcha botnet takedown.^[2]

Early October 2025: Black Lotus Labs Begins Null-Routing Aisuru/Kimwolf C2s

Black Lotus Labs at Lumen Technologies begins null-routing traffic to command-and-control nodes associated with the Aisuru/Kimwolf botnet. They will ultimately null-route more than 550 C2 nodes.^[11]

October 27, 2025: NETSCOUT Publishes Aisuru Threat Summary

NETSCOUT publishes a detailed threat summary on Aisuru and related TurboMirai-class botnets, documenting attacks exceeding 20 Tbps and 4 billion packets per second. They note that multiple broadband access network operators experienced significant operational impact due to outbound attacks exceeding 1.5 Tbps launched from infected customer devices.^[14]

Late October 2025: Synthient Discovers resi[.]to Discord Server

Benjamin Brundage, founder of proxy-tracking firm Synthient, discovers that people selling various proxy services benefiting from the Aisuru and Kimwolf botnets are doing so on a Discord server called resi[.]to. When KrebsOnSecurity joins as a silent observer, the server has fewer than 150 members, including "Shox" (Resi Rack's co-founder) and his business partner "Linus."^[15]

November 12, 2025: Synthient Honeypot Detects Increased Targeting

Synthient's honeypot network observes an increase in targeting of the domain xd[.]resi[.]to from IPIDEA's proxy network. This domain resolves to 0.0.0.0, pointing to the device running the proxy SDK.^[16]

November 19-22, 2025: 1.7 Billion DDoS Attack Commands Observed

XLab observes Kimwolf issuing over 1.7 billion DDoS attack commands, pushing its C2 domain to the top position in Cloudflare's global domain popularity rankings, surpassing google.com.^[17]

November 30, 2025: XLab Captures New Kimwolf Sample, Takes Over C2

XLab captures another new Kimwolf sample and successfully takes over one of its C2 domains, gaining the opportunity to directly observe the botnet's operating scale. Over three days (December 3-5), they observe approximately 2.7 million distinct source IP addresses connecting to their registered C2.^[12]

December 1, 2025: Synthient Confirms IPIDEA Exploitation

Synthient confirms that Kimwolf botnet operators are tunneling through IPIDEA's proxy network into the local networks of systems running IPIDEA's proxy software. The attackers drop malware by directing infected systems to visit a specific address and call out the passphrase "krebsfiveheadindustries."^[18]

December 8, 2025: Definitive Link Confirmed Between Kimwolf and Aisuru

XLab confirms "definitive evidence" that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and Aisuru when they witness both botnet strains being distributed by the same Internet address at 93.95.112[.]59, which is assigned to Lehi, Utah-based Resi Rack LLC.^[15]

December 17, 2025: XLab Publishes Comprehensive Kimwolf Analysis

QiAnXin XLab publishes "Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices," providing exhaustive technical analysis of the malware, its connection to Aisuru, and its exploitation of residential proxy networks.^[12]

December 30, 2025: 2 Million IPIDEA Addresses Exploited

Synthient reports tracking roughly 2 million IPIDEA addresses exploited by Kimwolf in the previous week.^[18]

January 2, 2026: Kimwolf Operators Move to Telegram, Claim 3.5 Million Devices

Active members of the defunct resi[.]to Discord server move to a Telegram channel where they post Synthient founder Benjamin Brundage's personal information. A user named "Richard Remington" posts a crude sketch claiming Dort and Snow are now in control of 3.5 million devices infected by Aisuru and/or Kimwolf.^[15]

January 5, 2026: Multiple Outlets Cover Kimwolf

The Hacker News, SecurityWeek, Security Affairs, and other major cybersecurity publications publish coverage of the Kimwolf botnet, confirming over 2 million infected devices and noting the botnet's size may be much larger - with roughly 12 million unique IP addresses associated with it seen every week.^[16]

January 8, 2026: Krebs Publishes "Who Benefited from the Aisuru and Kimwolf Botnets?"

Krebs identifies the current administrators of Kimwolf as individuals using the nicknames "Dort" (a Canadian resident) and "Snow." The investigation traces infrastructure to Resi Rack LLC in Utah and reveals the company was openly advertising proxy services on BlackHatWorld forums.^[15]

January 13, 2026: Infoblox Publishes Enterprise Exposure Report

Infoblox reveals that nearly 25% of their Threat Defense Cloud customers made queries to Kimwolf-related domains since October 1, 2025, suggesting widespread presence of proxy endpoints in enterprise networks across education, healthcare, government, and finance sectors.^[19]