A new botnet named Kimwolf has emerged, boasting an alarming 1.8 million infected devices, mainly Android TVs, set-top boxes, and tablets. Its creators exploited the Native Development Kit (NDK) to build this botnet, which not only conducts distributed denial-of-service (DDoS) attacks but also features proxy forwarding, reverse shell access, and file management capabilities. Between November 19 and 22, 2025, Kimwolf executed around 1.7 billion DDoS commands, peaking with one of its command-and-control domains ranking at the top of Cloudflare's list, even surpassing Google briefly. The primary targets of Kimwolf are residential TV boxes, with significant infection rates reported in Brazil, India, the U.S., and several other countries. The exact method of malware propagation remains unclear, but QiAnXin XLab began investigating after receiving a variant of Kimwolf in late October 2025. The researchers found that the botnet's C2 domains have been taken down multiple times, prompting operators to adapt by utilizing the Ethereum Name Service (ENS) to strengthen their infrastructure. Kimwolf appears to be linked to the AISURU botnet, known for previous record-setting DDoS attacks. Both botnets share similar infection scripts and may have been developed by the same hacker group. Analysis showed that over 96% of commands issued by Kimwolf focus on using infected devices for proxy services, suggesting a profit-driven motive behind the attacks. The malware employs advanced techniques, including EtherHiding, to obscure its command-and-control infrastructure, making it more resilient against shutdown efforts. The rise of Kimwolf signals a troubling trend in the evolution of botnets, shifting focus from traditional IoT devices to smart TVs and other consumer electronics.