Kimwolf v7 Botnet Emerges with HTTP/2 DDoS and Blockchain-Based C2 Evasion

Overview

A newly discovered variant of the Kimwolf botnet, Kimwolf v7, is raising fresh concerns in the cybersecurity landscape after researchers identified major upgrades in its attack capabilities and command-and-control (C2) infrastructure. The botnet, which primarily targets Android-based IoT devices such as smart TVs and set-top boxes, now incorporates advanced evasion techniques designed to resist disruption and takedown efforts.

Evolution of the Kimwolf Botnet

Active since 2024 and also tracked as AISURU, Kimwolf has steadily evolved into a more resilient and dangerous threat. The latest version, discovered in early 2026, appears to be a direct response to increased scrutiny and disruption attempts by security researchers and law enforcement. Its new architecture focuses heavily on decentralization and stealth, making it significantly harder to detect and dismantle.

Decentralized and Resilient C2 Infrastructure

One of the most notable upgrades in Kimwolf v7 is its use of blockchain technology for C2 resolution. The malware includes multiple hardcoded Ethereum RPC endpoints, allowing it to query the Ethereum blockchain and resolve domains via the Ethereum Name Service (ENS). This approach eliminates reliance on traditional centralized infrastructure, making takedowns far more difficult.

In addition, the botnet integrates a Tor hidden service as a backup communication channel. When primary C2 resolution fails, the malware automatically switches to a Tor-based .onion address using a SOCKS5 proxy mechanism. All communication is routed through a local proxy (127.0.0.1:23075), enabling flexible switching between clearnet and anonymized networks.

Advanced DDoS Capabilities

Kimwolf v7 significantly expands its distributed denial-of-service (DDoS) arsenal, supporting at least 15 attack methods. These include TCP, UDP, DNS, ICMP, and TLS floods. However, the most critical addition is a sophisticated HTTP/2 flood attack.

This new method mimics legitimate Chrome browser traffic by generating realistic headers such as sec-ch-ua, sec-fetch, and dynamic user-agent strings. This makes malicious traffic extremely difficult to distinguish from normal web activity, increasing the effectiveness of attacks.

The botnet also leverages high-performance techniques like Xorshift256 pseudo-random number generation and ARM NEON SIMD instructions to maximize packet throughput during UDP floods.

Targets and Monetization

Kimwolf primarily infects low-cost, uncertified Android TV devices, turning them into part of a large-scale botnet. It monetizes operations through DDoS-for-hire services, proxy bandwidth resale, and app installation campaigns.

Indicators and Detection

Security experts highlight several behavioral indicators of compromise, including unusual Ethereum RPC traffic, Tor connections, and the presence of suspicious processes like netd_service. Monitoring these signals is critical, as blocking legitimate services like Ethereum RPC endpoints may not be effective.

Conclusion

Kimwolf v7 represents a significant leap in botnet sophistication, combining decentralized infrastructure, anonymized communication, and advanced DDoS techniques. As attackers continue to adopt blockchain and privacy technologies, defenders must adapt by focusing on behavioral detection and deeper network visibility to identify compromised IoT devices before they can be weaponized.