Kimwolf Botnet Campaign
Security researchers have uncovered a massive Android-focused botnet known as Kimwolf, which has compromised over two million devices by exploiting residential proxy networks. The malware transforms everyday consumer hardware into a global attack platform, quietly routing malicious traffic and enabling large-scale distributed denial-of-service (DDoS) operations. Observations show roughly 12 million unique IP addresses every week, highlighting the extraordinary scope of this operation.
Table of Contents
Origins, Evolution, and Links to AISURU
Kimwolf was first publicly analyzed in December 2025, when investigators identified strong technical and infrastructural ties to another botnet called AISURU. Evidence suggests Kimwolf has been active since at least August 2025 and represents an Android-based evolution of AISURU. Researchers increasingly believe this botnet powered several record-breaking DDoS campaigns observed toward the end of last year.
Global Infection Footprint and Targeted Devices
Although Kimwolf has a worldwide presence, infections are heavily concentrated in Vietnam, Brazil, India, and Saudi Arabia. A significant portion of compromised systems are unofficial Android smart TVs and set-top boxes, many of which ship with insecure default configurations.
At least 67% of connected devices expose an unauthenticated Android Debug Bridge (ADB) service, leaving them open to remote control. Investigators suspect that many of these products are preloaded with proxy-related software development kits (SDKs) before reaching consumers, effectively enrolling them into proxy ecosystems that later become delivery channels for malware.
How Kimwolf Spreads and Maintains Control
Kimwolf’s operators rely on large residential proxy networks to scan the internet for Android devices running exposed ADB services. Once identified, malware is installed remotely, turning the device into a traffic relay and attack node. The core payload opens a listener on port 40860 and establishes outbound communication with 85.234.91[.]247:1337, from which it receives operational commands.
As recently as December 2025, infections were traced to proxy IP addresses rented from China-based IPIDEA, a provider advertising itself as the world’s leading IP proxy service with over 6.1 million daily refreshed IPs and 69,000 new addresses each day. On December 27, IPIDEA deployed a security update blocking access to local networks and sensitive ports after evidence emerged that attackers were tunneling through customer-installed proxy software to reach internal devices.
The exposure created by this technique was described by analysts as unprecedented, placing millions of consumer systems directly in the path of automated exploitation.
Monetization: Proxies, Payloads, and Paid Attacks
From the outset, Kimwolf’s financial motives were clear. The operators aggressively commercialized their infrastructure, turning compromised devices into profit-generating assets through multiple channels:
- Sale of residential proxy access, advertised as cheaply as $0.20 per GB or about $1,400 per month for unlimited bandwidth, which attracted early adoption from multiple proxy services.
- Deployment of secondary monetization SDKs, most notably the Plainproxies Byteconnect SDK, which routes paid proxy tasks from a command server to infected devices via 119 dedicated relay servers.
- Abuse of the botnet for cybercrime operations, including large-scale DDoS activity and observed credential-stuffing campaigns against IMAP services and popular online platforms.
The presence of pre-infected TV boxes and the integration of commercial bandwidth-sharing SDKs strongly suggest a deepening collaboration between botnet operators and segments of the proxy economy.
Defensive Measures and Risk Reduction
To mitigate similar threats, coordinated action is required across both service providers and end-user environments:
- Proxy networks should block traffic destined for RFC 1918 address ranges, preventing external customers from reaching internal private networks where consumer devices reside.
- Organizations and individuals must disable or restrict unauthenticated ADB access on Android systems, particularly embedded and IoT-style devices that often ship with insecure defaults.
Without these controls, residential proxy ecosystems will continue to provide ideal cover for large-scale malware deployment and botnet expansion.
