Pierluigi Paganini
January 05, 2026
The Kimwolf botnet has compromised more than 2 million Android devices, spreading primarily via residential proxy networks, according to cybersecurity firm Synthient.
Kimwolf is a newly discovered Android botnet linked to the Aisuru botnet that has infected over 1.8 million devices and issued more than 1.7 billion DDoS attack commands, according to XLab.
On October 24, 2025, XLab researchers received a new botnet sample with a standout C2 domain, 14emeliaterracewestroxburyma02132[.]su. Within a week, its popularity soared, even surpassing Google in Cloudflare’s global rankings. This massive-scale botnet, using the wolfSSL library, was named Kimwolf.
The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions. It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures. Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.
Kimwolf follows a naming pattern of “niggabox + v[number]”; versions v4 and v5 have been tracked. By taking over one C2 domain, researchers observed around 2.7 million IPs interacting over three days, indicating a likely infection scale exceeding 1.8 million devices. Its infrastructure spans multiple C2s, global time zones, and versions, making it hard to estimate the total number of infections.
The botnet borrows the code from the Aisuru family, however, operators redesigned it to evade detection. Its primary function is traffic proxying, though it can execute massive DDoS attacks, as seen in a three-day period issuing 1.7 billion commands between November 19 and 22.
Kimwolf’s C2 domains have been taken down multiple times, prompting the adoption of ENS blockchain domains for resilience. Detection remains difficult due to covert techniques like DoT, low VirusTotal visibility, and rapid evolution. Researchers stress the importance of sharing intelligence to counter this large-scale, rapidly evolving threat.
Now, Synthient researchers estimate with high confidence that Kimwolf has infected over 2 million Android devices by exploiting exposed ADB services through residential proxies, creating a large network of compromised TV streaming devices and IP addresses. The firm urges proxy providers to block risky ports, users to check and wipe or destroy infected devices, and organizations to block related C2 infrastructure and monitor traffic. Synthient warns that Kimwolf underscores the growing threat of attackers abusing unsecured proxy networks as a scalable attack vector.
The Kimwolf botnet has rapidly expanded over the past two months by exploiting residential proxy networks, with many infections linked to proxy IPs rented through China-based IPIDEA. It primarily targets low-cost, unofficial Android TV boxes that are insecure or intentionally configured as proxy nodes, and Synthient found that many devices were sold pre-infected with modified software that turned them into Kimwolf bots.
“Kimwolf’s rapid growth can be attributed to its targeting of vulnerable devices through its novel exploitation of residential proxy networks.” reads the report published by Synthient. “Our honeypot network saw an increase in targeting of the domain xd[.]resi[.]to on November 12th from IPIDEAs proxy network. This domain notably resolves to 0[.]0[.]0[.]0, which points to the device running the proxy SDK.”
Synthient researchers observed a heavy concentration of infections in Vietnam, Brazil, India, and Saudi Arabia, and activity generating around 12 million unique IP addresses per week. Analysis shows that about 67% of devices in residential proxy pools are unauthenticated and vulnerable to remote code execution. Many devices, especially TV boxes and smart TVs, appear to be shipped pre-infected with malicious proxy SDKs, allowing Kimwolf to scan and exploit them within minutes of connecting to the internet.
Synthient analyzed recent versions of the Kimwolf Android botnet, focusing on changes in the latest builds before IPIDEA patched a critical vulnerability on December 28.
The botnet deploys two near-identical binaries disguised as proxy SDKs, installs them via scripts abusing unauthenticated access, and uses simple mutex techniques to avoid multiple instances.
Kimwolf connects to remote C2 servers, listens on a local port, and has expanded Layer-7 attack capabilities, spoofing TLS fingerprints to improve DDoS effectiveness.
Beyond running its own proxy service, Kimwolf monetizes infections by installing third-party proxy SDKs such as Byteconnect, enabling credential-stuffing and bandwidth resale.
“In addition to capturing the Kimwolf payload on December 14th, Synthient’s Research Team also observed the installation of the Plainproxies Byteconnect SDK.” continues the report. “This SDK offers a bandwidth monetization service, indicating that Kimwolf actors received payment for performing app installs on compromised devices. This further highlights the threat actors’ monetization attempts, in addition to the operation of their own proxy services.”
The campaign exposed millions of devices via insecure proxy ecosystems, prompting coordinated disclosure, mitigations, and guidance for providers, organizations, and end users.
“Kimwolf highlights the significant risks posed by residential proxy networks, along with their sophisticated operations that exploit the “gray market” of the proxy ecosystem. The botnet’s unprecedented growth to over 2 million devices is not just a failure of individual device security but a systemic vulnerability within the residential proxy supply chain.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kimwolf botnet)
