BreakglassIntelligence
Back to reports
criticalAPT

Android TV Botnet Landscape: Bigpanzi, Kimwolf, and the Misattribution of Kimsuky

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:APT43of KimsukyProfiles- **Active Since**: 2015 (8+ years)y firmware, ad fraud focus
bigpanzikimsukyandroidtvc2rataptphishingsupply-chainmiraibotnetalibabatorshodan

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime / Botnet Operations Status: COMPLETE

Executive Summary

An investigation prompted by a social media lead referencing a "botnet war" between Bigpanzi and "Kimsuky" targeting Android TV boxes reveals a critical misattribution. The conflict is between Bigpanzi (Chinese cybercrime syndicate, active since 2015) and Kimwolf/Aisuru (multinational botnet operation, emerged 2025) -- NOT the North Korean state-sponsored APT group Kimsuky (APT43). The name similarity between "Kimwolf" and "Kimsuky" has caused confusion in open-source reporting. These are entirely separate threat actors with no operational overlap.

Our investigation confirmed 5 live Bigpanzi Pandoraspear C2 servers on port 9999, mapped extensive Kimwolf infrastructure including Ethereum Name Service (ENS) resilient C2, and identified the residential proxy supply chain (Resi Rack LLC, IPIDEA, ByteConnect SDK) enabling both botnets to infect over 3.5 million Android TV devices globally.

Key Findings

  • CRITICAL MISATTRIBUTION: The "Kimsuky" reference in the source tweet almost certainly refers to Kimwolf, a cybercrime botnet. Kimsuky (APT43/Thallium) is a North Korean state-sponsored espionage group that deploys PowerShell backdoors and spearphishing -- NOT IoT botnets. Their TTPs, targeting, and infrastructure are entirely different.
  • Bigpanzi infrastructure remains LIVE: All 5 known Pandoraspear C2 servers (port 9999) are actively accepting connections as of 2026-04-03.
  • Kimwolf is the actual competitor: Emerged late 2025, infected 2M+ Android TV devices, launched a 31.4 Tbps DDoS attack, and uses ENS blockchain for resilient C2.
  • Scale of the Android TV battlefield: Combined, Bigpanzi (~170K daily active), Kimwolf (~1.83M daily active), Vo1d (~1.6M), and BadBox (10M+) represent over 15 million compromised Android TV devices globally.
  • Supply chain enablers: Resi Rack LLC (Lehi, Utah), IPIDEA residential proxies, ByteConnect SDK (Plainproxies/3XK Tech GmbH) form the proxy monetization pipeline for Kimwolf.
  • Bigpanzi uses Chinese cloud infrastructure: mf1ve[.]com registered via Alibaba Cloud (HiChina), resolving to Alibaba Cloud LLC IP space.
  • snarutox[.]com reveals commercial operation: 35+ subdomains with fresh DigiCert certificates (Mar-Apr 2026) including panel, dashboard, payment, and VPN infrastructure -- indicating Bigpanzi operates as a commercial P2P CDN business.

What Was Found vs. What Was Known

AspectPrior ReportingOur Findings
"Kimsuky" involvementClaimed in social mediaDEBUNKED -- Kimwolf, not Kimsuky. Zero overlap.
Bigpanzi C2 statusDocumented Jan 20245 servers LIVE on port 9999 (Apr 2026)
Botnet conflictVague "invisible war"Shared device population -- same Android TV box models targeted
Kimwolf infrastructureENS-based C2 documentedResi Rack IPs 93.95.112.50-59 dark on Shodan
snarutox.com (Bigpanzi pcdn)Known C2 domain35+ subdomains with fresh DigiCert certs (Mar-Apr 2026)

The "Botnet War" -- What Is Actually Happening

The Android TV box ecosystem has become contested territory for multiple independent cybercrime operations:

  1. Bigpanzi (est. 2015, Chinese origin) deploys Pandoraspear backdoor + Pcdn P2P CDN via backdoored firmware and pirated media APKs. Targets Brazil-heavy device fleet.
  2. Kimwolf/Aisuru (est. 2025, multinational) deploys Mirai-derivative DDoS bot + SOCKS proxy via ADB exploitation and residential proxy tunneling. Targets devices in 222 countries.
  3. Vo1d (est. 2024, unknown origin) uses Bigpanzi-like string decryption but operates independently. 1.6M+ device fleet.
  4. BadBox (est. 2023) pre-installs malware in supply chain. 10M+ devices estimated.

The "war" is a competition for the same finite pool of vulnerable Android TV devices. When one botnet infects a device, it often kills competing malware processes. This creates an ongoing displacement cycle where botnets fight for dominance on the same hardware.

Infrastructure Analysis

Bigpanzi -- Pandoraspear C2 Servers (LIVE as of 2026-04-03)

DomainIPASN/ProviderPort 9999Status
ok3.mf1ve[.]com47[.]76[.]118[.]67Alibaba Cloud LLCOPENLIVE
ok3.mflve[.]com71[.]19[.]252[.]21eSecureData (CA)OPENLIVE
pcn.panddna[.]com71[.]19[.]251[.]233eSecureData (CA)OPENLIVE
ppn.pnddon[.]com71[.]19[.]252[.]13eSecureData (CA)OPENLIVE
apz.bsaldo[.]com173[.]255[.]221[.]98UnknownOPENLIVE
apz.pdonno[.]com172[.]232[.]182[.]63UnknownOPENLIVE
jgp.pdltdgie[.]com71[.]19[.]252[.]13eSecureData (CA)OPENLIVE

Bigpanzi -- Pcdn C2 Servers

DomainIPPortStatus
zas8wie.snarutox[.]com91[.]195[.]240[.]10331226FILTERED
in32hbccw.oneconcord[.]net47[.]76[.]118[.]6731226FILTERED
pu9z3cca.trumpary[.]com162[.]209[.]126[.]21631226FILTERED

Bigpanzi -- DDoS Builder C2

DomainIPStatus
stpoto.sdfaf1230app[.]net195[.]154[.]185[.]47UNKNOWN
ruetsm.mkuspt[.]com34[.]41[.]139[.]193UNKNOWN
dlewals.adfoiadf892[.]net34[.]41[.]139[.]193UNKNOWN

Bigpanzi -- Domain Registration Analysis

DomainRegistrarCreatedNSNotes
mf1ve[.]comAlibaba Cloud (HiChina)2023-08-15HiChina DNSChinese registrar, active
panddna[.]comPDR Ltd (PublicDomainRegistry)2018-07-30AWS Route53Long-running infra
snarutox[.]comUnknownUnknownDigiCert certs35+ subdomains, fresh certs

snarutox[.]com Certificate Transparency Analysis

Fresh certificate issuances (March-April 2026) reveal extensive subdomain infrastructure:

  • panel.snarutox[.]com -- Management panel
  • dashboard.snarutox[.]com -- Operator dashboard
  • sslvpn.snarutox[.]com -- VPN access for operators
  • devel.snarutox[.]com -- Development server
  • github.snarutox[.]com -- Code repository mirror
  • pay.prod3.snarutox[.]com -- Payment processing (nested: pay.pay.prod3, pay.pay.pay.prod3)
  • system.snarutox[.]com -- System management
  • tickets.snarutox[.]com -- Support/ticketing
  • oms.snarutox[.]com -- Order management system
  • cs.snarutox[.]com -- Customer service
  • robins.snarutox[.]com -- Unknown purpose
  • localhost.snarutox[.]com -- Development/testing
  • devserver.snarutox[.]com -- Development server
  • new3.snarutox[.]com -- Staging

This is a fully operational business infrastructure, not just C2 hosting. The Bigpanzi operators are running what appears to be a commercial P2P CDN service monetizing their botnet.

Kimwolf/Aisuru Infrastructure

IndicatorDetailStatus
C2 Domain14emeliaterracewestroxburyma02132[.]suTaken down 3x
ENS Domainpawsatyou[.]ethLIVE (blockchain)
ENS Contract0xde569B825877c47fE637913eCE5216C644dE081FLIVE
Downloader IPs93[.]95[.]112[.]50-59Dark on Shodan
ASNAS397923 (Resi Rack LLC, Lehi, UT)Active
SDK Domainsproxiessdk[.]online, proxiessdk[.]storeDNS dead
Impersonationrtrdedge1.samsungcdn[.]cloudDNS dead
Operator Discordresi[.]to (deleted Jan 2, 2026)Dead

Kimwolf Supply Chain / Proxy Monetization

[Plainproxies / ByteConnect SDK] --> [Trojanized APKs (600+)] --> [Android TV Box Infection]
         |                                                                    |
    [Friedrich Kraft / 3XK Tech GmbH]                              [Kimwolf Bot Enrollment]
         |                                                                    |
    [Maskify Proxy Service ($0.30/GB)]  <----  [SOCKS Proxy Relay]  <----  [Infected Devices]
         |                                                                    |
    [IPIDEA Residential Proxy]  <----  [Lateral Movement via ADB:5555]

Kimwolf Key Actors

AliasReal NameLocationRole
DortUnknownCanada (suspected)Co-botmaster
SnowUnknownUnknownCo-botmaster
ForkyUnknownBrazilOriginal Aisuru marketer; claims lost control
ShoxCassidy HalesUtah, USResi Rack co-founder
LinusUnknownUnknownResi Rack co-founder
Friedrich KraftFriedrich KraftGermanyCEO Plainproxies, 3XK Tech GmbH
Julia LeviJulia LeviUnknownPlainproxies CRO, ex-Netnut/Bright Data

Malware Analysis

Bigpanzi -- Pandoraspear

PropertyValue
TypeELF backdoor (ARM/MIPS/x86)
PackingModified UPX (magic 0x71284075)
ObfuscationOLLVM control flow flattening
EncryptionBlowfish ECB, key: "zAw2xidjP3eHQ"
String encryptionXOR-based (buf[0]^buf[1]^buf[2] for length)
C2 Port9999
Versionsv1-v10 documented
CapabilitiesDNS hijacking, C2 comms, arbitrary command execution
Anti-debugTracerPid check
Known hashMD5: 9a1a6d484297a4e5d6249253f216ed69

Bigpanzi -- Pcdn

PropertyValue
TypeP2P CDN node + DDoS module
C2 Port31226
Status Port19906 (/getstatus API)
P2P Port7172
ComponentsSRS media server, Shadowsocks, KCP acceleration
DDoS vectors8 types: ICMP, UDP, SYN, TCP, keepalive, HTTP GET/POST, custom
Known hashMD5: 7ccdaa9aa63114ab42d49f3fe81519d9

Kimwolf

PropertyValue
TypeMirai-derivative DDoS bot + SOCKS proxy
VariantsELF (ARM/MIPS/x86) + APK (Android)
PackingUPX (standard and custom)
C2ENS blockchain (pawsatyou[.]eth) + traditional domains
DDoS vectors13 types (UDP/TCP flood variants)
ProxySOCKS forwarding (96.5% of observed commands)
AuthECDSA 3-stage handshake
DNSDNS-over-TLS for evasion
Instance lockUnix socket @niggaboxv[N]
Signing cert"John Dinglebert Dinglenut VIII VanSack Smith"
Cert fingerprint182256bca46a5c02def26550a154561ec5b2b983
Record DDoS31.4 Tbps (Nov 2025)

Kimsuky (APT43) -- For Comparison (NOT involved in Android TV botnets)

PropertyValue
TypeState-sponsored espionage (DPRK)
TargetsThink tanks, government, academia
Android opsDocSwap spyware via QR phishing, KoSpy surveillance
DeliverySpearphishing, QR codes, social engineering
MalwarePowerShell backdoors, custom RATs, credential harvesters
IoT/Botnet opsNONE DOCUMENTED

MalwareBazaar Sample Inventory

Kimwolf Samples (20 samples, uploaded 2026)

SHA256 (truncated)TypeTagsFirst Seen
fb967e4daa07ff37...APKbotnet, ddos, Kimwolf, mirai, proxy2026-03-23
e1adf204d8d2c968...ELFbotnet, ddos, Kimwolf, proxy2026-03-23
b9047ded41187be3...APKbotnet, ddos, Kimwolf, proxy2026-03-23
520375c83b097bdc...ELFKimwolf, upx-dec2026-03-23
99443ec987417f05...ELFbotnet, ddos, Kimwolf, proxy, UPX2026-03-23
b969c62337b450e5...ELFKimwolf, upx-dec2026-03-23
345222bca0045959...ELFKimwolf, upx-dec2026-03-23
951c94809aa6c7ab...APKbotnet, ddos, Kimwolf, proxy2026-03-23
72142e7a704e2b5f...ELFbotnet, ddos, Kimwolf, proxy, UPX2026-03-23
5b2475d4915c5aec...ELFbotnet, ddos, Kimwolf, proxy, UPX2026-03-23
569ef3c50d8c1bb4...APKbotnet, ddos, Kimwolf, proxy2026-03-23
54c478b499829a41...APKbotnet, ddos, Kimwolf, proxy2026-03-23
204edbbd9ab90616...APKbotnet, ddos, Kimwolf, proxy2026-03-23
024a427fc94e9bd3...ELFbotnet, ddos, Kimwolf, mirai, proxy, UPX2026-03-23
2689f19a4b6e8004...ELFKimwolf, mirai2026-03-03
96c1b9bd2b8cf07a...ELFKimwolf, mirai, UPX2026-03-03
5a8f2f0033c79784...ELFKimwolf, mirai, UPX2026-03-03
c3c107ff3419beb3...APKKimwolf, mirai2026-03-03
d533427990f62632...ELFKimwolf, mirai2026-03-03
79569c91433c6e26...ELFKimwolf2026-01-25

Bigpanzi Pcdn Samples (from XLab research)

MD5Component
9a1a6d484297a4e5d6249253f216ed69Pandoraspear (initial)
7ccdaa9aa63114ab42d49f3fe81519d9Pcdn (latest Aug 2021)
95357a1d45deebd8bdc4ac01a4ad8c08Pcdn variant
5b2727ba2924fd4d204bf39e601bb77cPcdn variant
4338e9bd02b42eb458f8515caa3bab8ePcdn variant
634c0e7fcc9529005a63c2918ad9dcc5Pcdn variant

MITRE ATT&CK Mapping

Bigpanzi

TacticTechniqueIDApplication
Initial AccessSupply Chain CompromiseT1195Backdoored firmware/APKs via pirate forums
ExecutionSystem ServicesT1569system() calls from Pandoraspear
PersistenceBoot/Logon Init ScriptsT1037/system/bin placement in firmware
Defense EvasionObfuscated FilesT1027OLLVM, modified UPX, Blowfish encryption
Defense EvasionDebugger EvasionT1622TracerPid anti-debug
C2Application Layer ProtocolT1071HTTP + custom encrypted protocol on port 9999
C2DNS HijackingT1584.001/etc/hosts modification for C2
ImpactNetwork DoST14988 DDoS attack vectors

Kimwolf/Aisuru

TacticTechniqueIDApplication
Initial AccessExploit Public-Facing AppT1190ADB port 5555 exploitation
Initial AccessSupply Chain CompromiseT1195600+ trojanized APKs, 3000+ Windows binaries
ExecutionCommand-Line InterfaceT1059ADB shell commands
Defense EvasionEncrypted ChannelT1573DNS-over-TLS, ECDSA auth
C2Web ServiceT1102.002Ethereum ENS (pawsatyou[.]eth)
C2ProxyT1090SOCKS proxy relay (96.5% of commands)
ImpactNetwork DoST149813 DDoS vectors, 31.4 Tbps record

Threat Actor Profiles

Bigpanzi

  • Confidence: HIGH for Chinese origin
  • Evidence: Alibaba Cloud registration (HiChina), Chinese security firm first disclosure, QianXin XLab detailed attribution
  • Active Since: 2015 (8+ years)
  • Motivation: Financial (pirate streaming monetization + DDoS-for-hire)
  • Scale: ~170K daily active bots, 1.3M+ cumulative IPs
  • Geography: Concentrated in Brazil (Sao Paulo)
  • OPSEC: Moderate -- long-lived infrastructure, minimal domain rotation

Kimwolf/Aisuru

  • Confidence: MEDIUM for multinational operation
  • Evidence: Krebs reporting, Synthient research, ENS blockchain records, Discord server (deleted)
  • Active Since: 2025
  • Motivation: Financial (DDoS-for-hire + residential proxy resale)
  • Scale: 2M+ infected devices, 1.83M daily active bots
  • Key actors: Dort (Canada), Snow (unknown), Forky (Brazil), Shox/Linus (Utah, US), Friedrich Kraft (Germany)
  • OPSEC: Poor -- real names exposed, Discord indexed by Flashpoint, ENS records public

Kimsuky (APT43) -- NOT INVOLVED

  • Confidence: DEFINITIVE that Kimsuky is NOT involved in Android TV botnet operations
  • Evidence: All Kimsuky MalwareBazaar samples are PowerShell/RAR/ZIP (espionage tools). No ELF/APK botnet samples. No IoT targeting documented by CISA, Mandiant, or any CERT.
  • The name "Kimsuky" in the source tweet is a misidentification of "Kimwolf"

The Battlefield -- Device Population Overlap

The Android TV box ecosystem (~50M+ vulnerable devices globally) is contested by at least four major botnets:

  • Bigpanzi territory: ~170K daily active (Brazil-heavy), Pandoraspear backdoor + Pcdn P2P CDN, infection via pirated firmware/APKs
  • Kimwolf territory: ~1.83M daily active (222 countries), Mirai-derivative DDoS + SOCKS proxy, infection via ADB:5555 + residential proxy tunneling
  • Vo1d territory: ~1.6M daily active, Bigpanzi-like string decryption, independent operation
  • BadBox territory: ~10M+ (supply chain compromise), pre-installed in factory firmware, ad fraud focus

Contested zones exist where devices are infected by multiple botnets simultaneously. Kimwolf + Aisuru have been confirmed coexisting on the same devices (same infection scripts). Bigpanzi + Vo1d have suspected overlap (shared decryption techniques). All botnets target the same cheap Android TV box models (X96Q, MX10, SuperBOX, HiDPTAndroid, etc.).

Immediate (24-48 hours)

  • Block all Bigpanzi C2 IPs and domains listed above at network perimeter
  • Monitor for connections to port 9999 from Android TV devices
  • Check for ADB port 5555 exposure on all Android devices
  • Block ENS resolution for pawsatyou[.]eth

Short-term (1-2 weeks)

  • Audit all Android TV boxes and streaming devices on the network
  • Replace cheap off-brand Android TV boxes with Google-certified devices
  • Disable ADB over network on all Android devices
  • Implement DNS sinkholing for known C2 domains

Medium-term (1-3 months)

  • Establish IoT network segmentation (VLAN isolation for media devices)
  • Deploy network monitoring for unusual P2P traffic patterns (Pcdn)
  • Monitor Ethereum ENS records for C2 domain updates
  • Consider residential proxy detection solutions

References

  • XLab/QianXin: "Bigpanzi Exposed" (Jan 2024)
  • XLab/QianXin: "Kimwolf Exposed" (Dec 2025)
  • Krebs on Security: "Who Benefited from the Aisuru and Kimwolf Botnets?" (Jan 2026)
  • Krebs on Security: "The Kimwolf Botnet is Stalking Your Local Network" (Jan 2026)
  • The Hacker News: "AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack" (Feb 2026)
  • Cloudflare: "What is the Aisuru-Kimwolf botnet?"
  • BleepingComputer: "Bigpanzi botnet infects 170,000 Android TV boxes" (Jan 2024)
  • CISA: AA20-301A -- "North Korean APT Focus: Kimsuky"

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Share