{
	"id": "e0eeffab-4682-4ea7-8c83-0d67d0391d6c",
	"created_at": "2026-04-06T00:07:53.633617Z",
	"updated_at": "2026-04-10T03:24:39.926272Z",
	"deleted_at": null,
	"sha1_hash": "1edf71b61cf85ad7ba9c0a9b95538ea452e34136",
	"title": "Who Benefited from the Aisuru and Kimwolf Botnets?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2092808,
	"plain_text": "Who Benefited from the Aisuru and Kimwolf Botnets?\r\nPublished: 2026-01-09 · Archived: 2026-04-05 14:25:39 UTC\r\nOur first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million\r\ndevices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig\r\nthrough digital clues left behind by the hackers, network operators and services that appear to have benefitted\r\nfrom Kimwolf’s spread.\r\nOn Dec. 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected\r\ndevices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet\r\ntraffic for so-called “residential proxy” services.\r\nThe software that turns one’s device into a residential proxy is often quietly bundled with mobile apps and games.\r\nKimwolf specifically targeted residential proxy software that is factory installed on more than a thousand different\r\nmodels of unsanctioned Android TV streaming devices. Very quickly, the residential proxy’s Internet address starts\r\nfunneling traffic that is linked to ad fraud, account takeover attempts and mass content scraping.\r\nThe XLab report explained its researchers found “definitive evidence” that the same cybercriminal actors and\r\ninfrastructure were used to deploy both Kimwolf and the Aisuru botnet — an earlier version of Kimwolf that also\r\nenslaved devices for use in DDoS attacks and proxy services.\r\nXLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part\r\non shared code changes over time. But it said those suspicions were confirmed on December 8 when it witnessed\r\nboth botnet strains being distributed by the same Internet address at 93.95.112[.]59.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 1 of 12\n\nImage: XLab.\r\nRESI RACK\r\nPublic records show the Internet address range flagged by XLab is assigned to Lehi, Utah-based Resi Rack LLC.\r\nResi Rack’s website bills the company as a “Premium Game Server Hosting Provider.” Meanwhile, Resi Rack’s\r\nads on the Internet moneymaking forum BlackHatWorld refer to it as a “Premium Residential Proxy Hosting and\r\nProxy Software Solutions Company.”\r\nResi Rack co-founder Cassidy Hales told KrebsOnSecurity his company received a notification on December 10\r\nabout Kimwolf using their network “that detailed what was being done by one of our customers leasing our\r\nservers.”\r\n“When we received this email we took care of this issue immediately,” Hales wrote in response to an email\r\nrequesting comment. “This is something we are very disappointed is now associated with our name and this was\r\nnot the intention of our company whatsoever.”\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 2 of 12\n\nThe Resi Rack Internet address cited by XLab on December 8 came onto KrebsOnSecurity’s radar more than two\r\nweeks before that. Benjamin Brundage is founder of Synthient, a startup that tracks proxy services. In late\r\nOctober 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru\r\nand Kimwolf botnets were doing so at a new Discord server called resi[.]to.\r\nOn November 24, 2025, a member of the resi-dot-to Discord channel shares an IP address responsible for\r\nproxying traffic over Android TV streaming boxes infected by the Kimwolf botnet.\r\nWhen KrebsOnSecurity joined the resi[.]to Discord channel in late October as a silent lurker, the server had fewer\r\nthan 150 members, including “Shox” — the nickname used by Resi Rack’s co-founder Mr. Hales — and his\r\nbusiness partner “Linus,” who did not respond to requests for comment.\r\nOther members of the resi[.]to Discord channel would periodically post new IP addresses that were responsible for\r\nproxying traffic over the Kimwolf botnet. As the screenshot from resi[.]to above shows, that Resi Rack Internet\r\naddress flagged by XLab was used by Kimwolf to direct proxy traffic as far back as November 24, if not earlier.\r\nAll told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy\r\ninfrastructure between October and December 2025.\r\nNeither of Resi Rack’s co-owners responded to follow-up questions. Both have been active in selling proxy\r\nservices via Discord for nearly two years. According to a review of Discord messages indexed by the cyber\r\nintelligence firm Flashpoint, Shox and Linus spent much of 2024 selling static “ISP proxies” by routing various\r\nInternet address blocks at major U.S. Internet service providers.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 3 of 12\n\nIn February 2025, AT\u0026T announced that effective July 31, 2025, it would no longer originate routes for network\r\nblocks that are not owned and managed by AT\u0026T (other major ISPs have since made similar moves). Less than a\r\nmonth later, Shox and Linus told customers they would soon cease offering static ISP proxies as a result of these\r\npolicy changes.\r\nShox and Linux, talking about their decision to stop selling ISP proxies.\r\nDORT \u0026 SNOW\r\nThe stated owner of the resi[.]to Discord server went by the abbreviated username “D.” That initial appears to be\r\nshort for the hacker handle “Dort,” a name that was invoked frequently throughout these Discord chats.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 4 of 12\n\nDort’s profile on resi dot to.\r\nThis “Dort” nickname came up in KrebsOnSecurity’s recent conversations with “Forky,” a Brazilian man who\r\nacknowledged being involved in the marketing of the Aisuru botnet at its inception in late 2024. But Forky\r\nvehemently denied having anything to do with a series of massive and record-smashing DDoS attacks in the latter\r\nhalf of 2025 that were blamed on Aisuru, saying the botnet by that point had been taken over by rivals.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 5 of 12\n\nForky asserts that Dort is a resident of Canada and one of at least two individuals currently in control of the\r\nAisuru/Kimwolf botnet. The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname\r\n“Snow.”\r\nOn January 2 — just hours after our story on Kimwolf was published — the historical chat records on resi[.]to\r\nwere erased without warning and replaced by a profanity-laced message for Synthient’s founder. Minutes after\r\nthat, the entire server disappeared.\r\nLater that same day, several of the more active members of the now-defunct resi[.]to Discord server moved to a\r\nTelegram channel where they posted Brundage’s personal information, and generally complained about being\r\nunable to find reliable “bulletproof” hosting for their botnet.\r\nHilariously, a user by the name “Richard Remington” briefly appeared in the group’s Telegram server to post a\r\ncrude “Happy New Year” sketch that claims Dort and Snow are now in control of 3.5 million devices infected by\r\nAisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its\r\nowner operates a website that caters to DDoS-for-hire or “stresser” services seeking to test their firepower.\r\nBYTECONNECT, PLAINPROXIES, AND 3XK TECH\r\nReports from both Synthient and XLab found that Kimwolf was used to deploy programs that turned infected\r\nsystems into Internet traffic relays for multiple residential proxy services. Among those was a component that\r\ninstalled a software development kit (SDK) called ByteConnect, which is distributed by a provider known as\r\nPlainproxies.\r\nByteConnect says it specializes in “monetizing apps ethically and free,” while Plainproxies advertises the ability\r\nto provide content scraping companies with “unlimited” proxy pools. However, Synthient said that upon\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 6 of 12\n\nconnecting to ByteConnect’s SDK they instead observed a mass influx of credential-stuffing attacks targeting\r\nemail servers and popular online websites.\r\nA search on LinkedIn finds the CEO of Plainproxies is Friedrich Kraft, whose resume says he is co-founder of\r\nByteConnect Ltd. Public Internet routing records show Mr. Kraft also operates a hosting firm in Germany called\r\n3XK Tech GmbH. Mr. Kraft did not respond to repeated requests for an interview.\r\nIn July 2025, Cloudflare reported that 3XK Tech (a.k.a. Drei-K-Tech) had become the Internet’s largest source of\r\napplication-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligence found that Internet\r\naddresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time\r\nfor a newly discovered and critical vulnerability in security products made by Palo Alto Networks.\r\nSource: Cloudflare’s Q2 2025 DDoS threat report.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 7 of 12\n\nLinkedIn has a profile for another Plainproxies employee, Julia Levi, who is listed as co-founder of ByteConnect.\r\nMs. Levi did not respond to requests for comment. Her resume says she previously worked for two major proxy\r\nproviders: Netnut Proxy Network, and Bright Data.\r\nSynthient likewise said Plainproxies ignored their outreach, noting that the Byteconnect SDK continues to remain\r\nactive on devices compromised by Kimwolf.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 8 of 12\n\nA post from the LinkedIn page of Plainproxies Chief Revenue Officer Julia Levi, explaining how the residential\r\nproxy business works.\r\nMASKIFY\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 9 of 12\n\nSynthient’s January 2 report said another proxy provider heavily involved in the sale of Kimwolf proxies was\r\nMaskify, which currently advertises on multiple cybercrime forums that it has more than six million residential\r\nInternet addresses for rent.\r\nMaskify prices its service at a rate of 30 cents per gigabyte of data relayed through their proxies. According to\r\nSynthient, that price range is insanely low and is far cheaper than any other proxy provider in business today.\r\n“Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors\r\nattempting to offload proxy bandwidth in exchange for upfront cash,” the Synthient report noted. “This approach\r\nlikely helped fuel early development, with associated members spending earnings on infrastructure and\r\noutsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these\r\nprices are not ethically sourced.”\r\nMaskify did not respond to requests for comment.\r\nThe Maskify website. Image: Synthient.\r\nBOTMASTERS LASH OUT\r\nHours after our first Kimwolf story was published last week, the resi[.]to Discord server vanished, Synthient’s\r\nwebsite was hit with a DDoS attack, and the Kimwolf botmasters took to doxing Brundage via their botnet.\r\nThe harassing messages appeared as text records uploaded to the Ethereum Name Service (ENS), a distributed\r\nsystem for supporting smart contracts deployed on the Ethereum blockchain. As documented by XLab, in mid-December the Kimwolf operators upgraded their infrastructure and began using ENS to better withstand the near-constant takedown efforts targeting the botnet’s control servers.\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 10 of 12\n\nAn ENS record used by the Kimwolf operators taunts security firms trying to take down the botnet’s control\r\nservers. Image: XLab.\r\nBy telling infected systems to seek out the Kimwolf control servers via ENS, even if the servers that the\r\nbotmasters use to control the botnet are taken down the attacker only needs to update the ENS text record to\r\nreflect the new Internet address of the control server, and the infected devices will immediately know where to\r\nlook for further instructions.\r\n“This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain\r\noperators, and cannot be blocked,” XLab wrote.\r\nThe text records included in Kimwolf’s ENS instructions can also feature short messages, such as those that\r\ncarried Brundage’s personal information. Other ENS text records associated with Kimwolf offered some sage\r\nadvice: “If flagged, we encourage the TV box to be destroyed.”\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 11 of 12\n\nAn ENS record tied to the Kimwolf botnet advises, “If flagged, we encourage the TV box to be destroyed.”\r\nBoth Synthient and XLabs say Kimwolf targets a vast number of Android TV streaming box models, all of which\r\nhave zero security protections, and many of which ship with proxy malware built in. Generally speaking, if you\r\ncan send a data packet to one of these devices you can also seize administrative control over it.\r\nIf you own a TV box that matches one of these model names and/or numbers, please just rip it out of your\r\nnetwork. If you encounter one of these devices on the network of a family member or friend, send them a link to\r\nthis story (or to our January 2 story on Kimwolf) and explain that it’s not worth the potential hassle and harm\r\ncreated by keeping them plugged in.\r\nSource: https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nhttps://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/"
	],
	"report_names": [
		"who-benefited-from-the-aisuru-and-kimwolf-botnets"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1edf71b61cf85ad7ba9c0a9b95538ea452e34136.pdf",
		"text": "https://archive.orkl.eu/1edf71b61cf85ad7ba9c0a9b95538ea452e34136.txt",
		"img": "https://archive.orkl.eu/1edf71b61cf85ad7ba9c0a9b95538ea452e34136.jpg"
	}
}