Key Takeaway
The Kimwolf IoT botnet recently attempted a Sybil attack on the I2P network by flooding it with hundreds of thousands of infected devices, causing severe disruptions. Kimwolf operators use I2P and similar anonymity networks as fallback command and control channels to evade takedown efforts. Detection involves monitoring network anomalies and known IoT malware signatures; removal requires firmware patching and network segmentation.
The Kimwolf botnet, an Internet of Things (IoT) malware family first identified in late 2025, has recently targeted The Invisible Internet Project (I2P), a decentralized encrypted communications network. Kimwolf leverages poorly secured IoT devices—including streaming boxes, routers, and digital photo frames—to launch large-scale distributed denial-of-service (DDoS) attacks and maintain persistence.
Starting February 3, 2026, I2P users reported widespread network disruptions. Tens of thousands of routers, many infected with Kimwolf, flooded the I2P network, overwhelming its capacity and preventing legitimate nodes from communicating effectively. This traffic surge was traced to an attempted Sybil attack, where Kimwolf command and control (C2) infrastructure tried to integrate approximately 700,000 malicious bots as I2P nodes.
The Sybil attack compromised the network’s reliability by introducing a vast number of fake identities, causing legitimate users to lose connectivity. I2P’s network size normally ranges between 15,000 and 20,000 devices daily, according to Lance James, founder of Unit 221B and original I2P developer. The sudden influx vastly exceeded this, causing routers to freeze due to excessive connection counts.
Kimwolf operators openly acknowledged the disruption on their Discord channel, indicating their intent was to use I2P as a fallback communication channel to evade takedown attempts targeting their primary control servers. This strategy aligns with reports that Kimwolf attempts to resist mitigation by shifting C2 infrastructure to anonymity networks like I2P and Tor, though the latter has not experienced similar disruptions.
Kimwolf’s capabilities include persistence on IoT devices with weak security, high-volume DDoS attacks, and evasion through decentralized, anonymous C2 channels. The botnet affects IoT platforms running on embedded Linux and other lightweight operating systems commonly found in consumer devices.
Detection signatures for Kimwolf include unusual outbound connections targeting known Kimwolf C2 domains and IP addresses, anomalous network traffic spikes consistent with botnet scanning and propagation, and identification of known Kimwolf malware hashes reported by vendors such as Palo Alto Networks and CrowdStrike. Network defenders should monitor for sudden surges of new router identities in decentralized networks like I2P and correlate with IoT device telemetry.
Removal guidance involves isolating affected IoT devices, applying manufacturer firmware updates to close known vulnerabilities exploited by Kimwolf, and resetting devices to factory settings where updates are unavailable. Network operators should implement strict network segmentation and enforce strong authentication to limit botnet spread. Additionally, blocking known Kimwolf C2 infrastructure at the perimeter and employing intrusion detection systems with updated threat intelligence feeds can reduce the botnet’s operational capacity.
References:
- Unit 221B (https://unit221b.com)
- I2P Official Site (https://i2p.net/)
- Kimwolf Botnet Analysis by Synthient (https://synthient.com)
- Palo Alto Networks Threat Intelligence
- CrowdStrike Malware Reports
Original Source
Krebs on Security
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.