Bkav cybersecurity experts have identified the presence of a large-scale botnet infrastructure known as Kimwolf, which exploits TV Boxes and Smart TVs running customized operating systems with insecure software configurations and weak security settings. The attackers take control of these devices and turn them into components of a global botnet network.

According to published cybersecurity reports, Kimwolf has compromised more than 2 million devices worldwide. Vietnam is among the countries most severely affected, alongside Brazil, India, and Saudi Arabia, largely due to the widespread use of low-cost, unbranded TV Boxes and Smart TVs with unclear origins.

Analysis by Bkav experts shows that the root cause lies in poorly controlled security practices across the device supply chain. Many low-cost TV Boxes and Smart TVs currently on the market run customized operating systems, outdated software, and receive no regular security updates. More critically, numerous devices come pre-installed with non-transparent software before reaching end users. These components are difficult to detect and cannot be removed, even after a factory reset.

Once connected to the Internet, the malware runs silently in the background and communicates with attackers’ command-and-control servers. Instead of damaging the devices, Kimwolf turns users’ TV Boxes and Smart TVs into Internet relay points, exploiting the users’ legitimate IP addresses. These IPs are sold or rented on underground markets to support large-scale cyberattacks; used as nodes in botnet-driven distributed denial-of-service (DDoS) attacks or illegal traffic forwarding; and serve as a cover for illicit online activities without the users’ knowledge. The consequences go beyond degraded device performance and Internet quality, and may also expose victims—the owners of the Internet connections—to potential legal risks.

Statistics from security reports indicate that approximately 12 million unique public IP addresses associated with the Kimwolf botnet infrastructure are observed each week, concentrated in several countries, including Vietnam.

To reduce risks and prevent household devices from being exploited for malicious purposes, Bkav recommends that users:

• Choose devices only from reputable manufacturers with clear origins and regular security update mechanisms.

• Monitor for abnormal signs such as slow device performance, automatic installation of unfamiliar applications, or unusual Internet bandwidth consumption.

• When suspicious behavior is detected, disconnect the device from the Internet immediately and consider discontinuing use of devices that cannot be adequately controlled or secured.

Bkav