You probably bought an Android TV Box, the ones that makes your non-smart TV, smart. That Android TV box, is capable of generating R88,200 per month. Just not for you.
Welcome to Kimwolf: the botnet that turned 1.8 million streaming devices into criminal infrastructure, and South Africa is sitting in 5th place on the global infection leaderboard.
Your Android TV Box Has A Side Hustle
On October 30, 2025, researchers at QiAnXin XLab noticed something impossible. A single obscure domain was generating more DNS queries to Cloudflare's 1.1.1.1 resolver than Google, Facebook, and every other website combined.
What's DNS? Think of it as the internet's phonebook. Every time your device wants to visit a website, it asks a DNS server "where is google.com?" Your device does this constantly in the background. When one unknown domain gets more queries than Google, something is very wrong.
It wasn't a viral app or breaking news. It was 1.8 million infected Android TV devices checking in with their criminal operators for instructions. Every few seconds. All day. Every day.
The infected devices? Mostly cheap Android TV boxes. SuperBOX, X96Q, MX10, the generic "TV BOX" that you got at the China Mall or Takealot. Devices that cost less than a tank of petrol and turn your old TV into a smart one.
Here's what the seller never mentions: these boxes almost never get security updates. Once the manufacturer ships them and collects their money, you're on your own. And that makes them perfect targets for exactly this kind of attack.
Here's What Is Happening In The Background
Kimwolf turns your innocent streaming box into a multi-tool for cybercrime. Here's how it splits its time:
96.5% of the time: Running proxy services. Criminals route their traffic through your IP address to hide their real location while committing fraud, launching attacks, or accessing illegal content. From the outside world, it looks like you're doing it. Your address. Your internet connection. Your liability.
3.5% of the time: Launching DDoS attacks. The operators can weaponize all 1.8 million devices simultaneously, generating an estimated 30 Tbps of attack capacity. For context, that's enough firepower to overwhelm most internet service providers on the planet.
What's a DDoS attack? Imagine calling a restaurant and hanging up immediately, then getting millions of your friends to do the same thing simultaneously. The restaurant's phone lines get so overwhelmed they can't take legitimate orders. That's DDoS, but with websites and internet services instead of phones.
Between November 19-22 alone, the botnet issued 1.7 billion attack commands. In three days. The activity was so intense that cloud providers initially thought QiAnXin's monitoring systems had a bug, until they confirmed: "Kimwolf is just that crazy. It indeed sprayed the entire internet."
Meanwhile, your box still streams perfectly. Your apps still work. Everything looks normal. But in the background, someone else is making approximately R88,200 per month off infected devices using a bandwidth-selling SDK called ByteConnect.
Your device. Their payday. Your legal risk.
Military-Grade Evasion. Consumer-Grade Victims.
What makes Kimwolf particularly nasty is how cleverly the operators have engineered it to be nearly invisible and nearly impossible to kill.
DNS-over-TLS (encrypted lookups): The malware hides its command instructions inside encrypted DNS traffic to Google (8.8.8.8) and Cloudflare (1.1.1.1). To your router, this looks like normal, legitimate DNS queries. Nothing suspicious. Nothing to flag.
XOR obfuscation (mathematical scrambling): Even if security researchers intercept the traffic, the real command server IP addresses are mathematically scrambled using XOR encryption with key 0xce0491. The address you see in the traffic isn't the address it's actually communicating with.
Blockchain C2 infrastructure (unkillable domains): When researchers successfully took down multiple command servers in early December, the operators responded within 24 hours by moving everything to Ethereum Name Service (ENS) domains like "pawsatyou.eth". You can't seize a blockchain domain. You can't get a court order to shut it down. And it updates automatically through smart contracts without human intervention.
On December 12, 2025, after researchers took down yet another wave of servers, the operators left a taunting message in their configuration file: "we have 100s of servers keep trying LOL!"
They weren't bluffing. Every takedown attempt has been followed by new infrastructure within 24 hours. The cat-and-mouse game escalated until they moved to blockchain-based infrastructure that's effectively immune to traditional takedown methods.
South Africa: Top 5 in the Wrong Competition
Out of 222 infected countries worldwide, South Africa ranks 5th globally at 3.9% of all infections. Here's the leaderboard nobody wants to be on:
| Rank | Country | Infection Rate |
|---|---|---|
| 1 | Brazil | 14.6% |
| 2 | India | 12.7% |
| 3 | USA | 9.6% |
| 4 | Argentina | 7.2% |
| 5 | South Africa | 3.9% |
| 6 | Philippines | 3.6% |
Why is South Africa so high on this list? Three reasons that all point back to economic realities:
Loadshedding created massive demand for offline-capable devices that could buffer content during power cuts. Cheap Android boxes with local storage became a survival tool instead of a luxury.
Data costs make streaming prohibitively expensive for many households. A R500 box with "unlimited content" (read: pirated streams) sounds like a rational financial decision when a single month of legitimate streaming services costs more than the device itself.
E-commerce platforms made it effortless to buy these devices. Search "Android TV box" on Takealot or any marketplace and you'll find dozens of sellers with thousands of positive reviews. Nobody mentions security updates because nobody gets security updates.
Until the device you got for a bargain, becomes part of a criminal network tied to the same operators responsible for a 29.7 Tbps DDoS attack - the largest ever recorded by Cloudflare.
The AISURU Connection: Kimwolf shares infrastructure with the AISURU botnet, which launched that record-breaking 29.7 Tbps attack in Q3 2025. Security researchers confirmed the connection through shared code-signing certificates with the genuinely absurd name "John Dinglebert Dinglenut VIII VanSack Smith." Yes, that's the actual certificate name. No, nobody knows why cybercriminals thought that was a good idea, but it became a reliable fingerprint for tracking their operations.
How to Know If Your Device Is Infected
Kimwolf is engineered to stay invisible, but physics doesn't lie. Criminal proxy traffic generates heat, consumes bandwidth, and leaves digital fingerprints. Here's what to watch for:
- Device runs hot when you're not using it - Proxy traffic runs 24/7. If your box is warm to the touch hours after you turned off the TV, it's working for someone else.
- Your internet is slower than it should be - Bandwidth doesn't disappear. If your connection feels sluggish but your usage hasn't changed, check what else is consuming it.
- Router shows constant high traffic from your TV box - Even when idle, infected devices maintain persistent connections. Log into your router (usually 192.168.1.1 or 192.168.0.1) and check connected device traffic.
- Strange outbound connections in your logs - Unknown IP addresses, persistent connections to cloud services you don't use, or traffic spikes during off-hours are all red flags.
How to check your router: Most routers have a "Connected Devices" or "Device List" section showing real-time data usage. Look for your TV box. If it's transferring gigabytes of data while supposedly idle, you have a problem. Check your router's manual or Google "[your router model] check device traffic" for specific instructions.
Your Move: Fix It, Replace It, or Live With the Risk
If you already own a cheap Android TV box:
First, verify if it's infected: Check your router logs for unusual traffic patterns. If you see constant data transfers when the device is powered off or idle, that's confirmation.
Factory reset is not a guaranteed fix. Sophisticated malware can survive resets by infecting system partitions that persist through the process. If your device is a no-name brand that's never received a firmware update, a factory reset is probably pointless.
The honest answer? Replace it. A R500 infected box will cost you more in potential legal liability than buying a legitimate streaming device. If law enforcement traces criminal activity back to your IP address because your device was proxying illegal traffic, "I didn't know my TV box was hacked" is not a strong legal defense.
If you're shopping for a streaming device:
Skip generic Android TV boxes entirely. Period. Full stop.
Buy from brands with actual support infrastructure: Chromecast with Google TV (from R1,200), Amazon Fire Stick (from R1,000), Apple TV (from R2,500), or official Android TV devices from Samsung, Sony, or TCL. Yes, they cost 2-5x more than the R500 box. They also receive regular security updates and won't turn your home network into criminal infrastructure.
Check for update history before buying. Google the device model + "firmware updates" and see if the manufacturer actually patches security issues. If you can't find evidence of updates in the past year, walk away.
For everyone, regardless of what you own:
Never install APKs from unknown sources. That "free Netflix" app someone told you about? That's how malware spreads. Stick to official app stores.
Segment your network if possible. Put IoT devices (TV boxes, smart speakers, cameras) on a separate Wi-Fi network from your computers and phones. Most modern routers support "guest networks" - use them for untrusted devices. This way if something gets compromised, the infection can't spread to your important devices.
If a device hasn't been updated in over a year, it's not secure - it's a liability. Treat it accordingly. Either replace it or isolate it from your primary network.
The Uncomfortable Truth About IoT Security
Kimwolf isn't an outlier or a one-off incident. It's a symptom of a fundamentally broken industry.
The Internet of Things operates on a business model that externalizes security costs onto consumers. Manufacturers ship cheap devices, collect their money upfront, and disappear. No long-term support. No security patches. No responsibility when the inevitable vulnerability gets exploited six months later.
When your laptop has a security flaw, Microsoft or Apple patches it. When your phone has a vulnerability, Google or Samsung fixes it. When your R400 Android TV box has a critical exploit, the manufacturer is nowhere to be found because they never intended to support it past the initial sale.
And consumers are left holding the bag - or in this case, the compromised streaming box that's now part of a criminal botnet.
Protect Your Network From IoT Threats
Not sure if your devices are secure? Our free Cyber Toolkit includes step-by-step guides for auditing your home network, checking router logs, and identifying compromised devices. Written for regular people, not IT professionals.
Get the Free Cyber ToolkitRunning a business in KZN? We provide network security assessments and IoT audits for SMEs.
Share on Twitter Share on LinkedIn Share on WhatsApp