The Kimwolf botnet, an Android-based variant of the Aisuru malware family, has rapidly expanded into one of the largest active botnets observed to date. Researchers estimate that more than two million Android devices are currently infected worldwide, collectively generating approximately twelve million unique IP addresses each week.
The botnet’s growth accelerated throughout the second half of 2025, driven by systematic abuse of residential proxy networks. By leveraging permissive proxy configurations, Kimwolf operators were able to reach devices located on internal networks, many of which exposed Android Debug Bridge (ADB) services without authentication.
Once compromised, infected devices were repurposed for distributed denial-of-service attacks, residential proxy resale operations, and monetized application installations through third-party SDKs. Kimwolf is part of the broader Aisuru botnet family, which has previously been linked to record-breaking DDoS attacks measured at nearly 30 terabits per second.
Abuse of residential proxy infrastructure
Threat researchers at Synthient and XLab identified residential proxy networks as the primary infection vector enabling Kimwolf’s rapid expansion. Certain proxy providers permitted outbound access to local network addresses and unrestricted port ranges, unintentionally exposing internal devices connected to the same network as the proxy client.
Beginning in November 2025, Kimwolf operators significantly increased scanning activity across proxy endpoints, targeting ports commonly associated with unauthenticated ADB services, including 5555, 5858, 12108, and 3222. When an exposed device was identified, payloads were delivered using netcat or telnet, piping shell scripts directly into the device for execution.
Researchers observed that devices joining vulnerable proxy pools were often scanned and compromised within minutes, highlighting how quickly threat actors could capitalize on these misconfigurations.
Pre-infected devices and supply chain exposure
Analysis of compromised systems revealed that many affected Android devices were already running proxy SDKs prior to infection. In multiple cases, devices appeared to be preloaded with these components before being sold to consumers.
Synthient researchers purchased several Android TV boxes associated with Kimwolf infections and confirmed that some units arrived with proxy software already installed. These devices typically lacked security updates, shipped with debugging interfaces enabled, and were rarely monitored after deployment.
The most frequently impacted hardware included low-cost Android TV boxes, generic streaming devices, and smart TV platforms sold under obscure or rapidly changing brand names. High infection concentrations were observed in Vietnam, Brazil, India, and Saudi Arabia, though Kimwolf’s infrastructure spans a global footprint.
Malware behavior and command infrastructure
Once installed, Kimwolf deploys multiple binaries to establish persistence and prevent duplicate instances from running simultaneously. The malware listens on high-numbered ports for commands and maintains encrypted connections to remote command-and-control servers.
Recent variants expanded the botnet’s Layer 7 attack capabilities, introducing TLS fingerprint spoofing through custom Go-based libraries. These techniques allow malicious traffic to more closely resemble legitimate browser behavior, complicating detection and mitigation efforts.
In addition to DDoS activity, Kimwolf operators monetized infected devices by installing bandwidth-sharing SDKs such as Byteconnect. This enabled credential-stuffing attacks, proxy task execution, and resale of residential IP bandwidth without user awareness or consent.
Proxy provider response and mitigation efforts
Following responsible disclosures from researchers, at least one major proxy provider implemented emergency changes to block access to internal networks and restrict high-risk ports. Despite these efforts, researchers believe additional proxy networks remain vulnerable, and not all impacted providers could be conclusively identified.
The findings underscore how residential proxy ecosystems, when improperly segmented, can serve as high-impact attack surfaces rather than passive infrastructure.
Reducing exposure to Kimwolf infections
Security researchers strongly advise consumers and organizations to avoid low-cost generic Android TV boxes and instead use devices certified under Google Play Protect from established manufacturers. Devices suspected of infection should be wiped or permanently removed from service, as persistence mechanisms make reliable remediation difficult.
Proxy providers are urged to block RFC1918 address ranges, restrict sensitive ports, and audit traffic patterns for evidence of internal network access. Organizations should monitor outbound connections linked to known Kimwolf infrastructure and review network inventories for unauthorized proxy SDKs.
A systemic risk in the residential proxy ecosystem
Kimwolf’s growth highlights a structural weakness in the residential proxy market. The combination of pre-infected hardware, permissive proxy configurations, and demand for low-cost residential bandwidth has created an environment where botnets can scale rapidly with minimal resistance.
Researchers assess that Kimwolf provides a blueprint for future botnet operations that blend malware distribution, proxy monetization, and large-scale denial-of-service capabilities into a single ecosystem. Without stronger controls across the proxy supply chain, similar campaigns are likely to continue emerging.
For more reporting on state-backed intrusion campaigns and critical infrastructure targeting, explore the latest updates in the data breaches and cybersecurity sections.
