{
	"id": "d1704146-c2b3-4017-9cf0-2dd072e4e2e9",
	"created_at": "2026-04-06T01:31:41.952254Z",
	"updated_at": "2026-04-10T03:30:33.731303Z",
	"deleted_at": null,
	"sha1_hash": "26ef924adeade327e0db50d6f57fe7e704b3b2fc",
	"title": "Kimwolf Botnet Lurking in Corporate, Govt. Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 235854,
	"plain_text": "Kimwolf Botnet Lurking in Corporate, Govt. Networks\r\nPublished: 2026-01-20 · Archived: 2026-04-06 00:40:39 UTC\r\nA new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected\r\nsystems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and\r\nabusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT\r\ndevices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly\r\nprevalent in government and corporate networks.\r\nImage: Shutterstock, @Elzicon.\r\nhttps://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/\r\nPage 1 of 4\n\nKimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying\r\nmalicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold as a\r\nway to anonymize and localize one’s Web traffic to a specific region, and the biggest of these services allow\r\ncustomers to route their Internet activity through devices in virtually any country or city around the globe.\r\nThe malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile\r\napps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad\r\nfraud, account takeover attempts, and mass content-scraping.\r\nKimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on\r\nany given week. The Kimwolf operators discovered they could forward malicious commands to the internal\r\nnetworks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on\r\neach endpoint’s local network.\r\nMost of the systems compromised through Kimwolf’s local network scanning have been unofficial Android TV\r\nstreaming boxes. These are typically Android Open Source Project devices — not Android TV OS devices or Play\r\nProtect certified Android devices — and they are generally marketed as a way to watch unlimited (read:pirated)\r\nvideo content from popular subscription streaming services for a one-time fee.\r\nHowever, a great many of these TV boxes ship to consumers with residential proxy software pre-installed. What’s\r\nmore, they have no real security or authentication built-in: If you can communicate directly with the TV box, you\r\ncan also easily compromise it with malware.\r\nWhile IPIDEA and other affected proxy providers recently have taken steps to block threats like Kimwolf from\r\ngoing upstream into their endpoints (reportedly with varying degrees of success), the Kimwolf malware remains\r\non millions of infected devices.\r\nA screenshot of IPIDEA’s proxy service.\r\nhttps://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/\r\nPage 2 of 4\n\nKimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest\r\nwe’d find relatively few infections on corporate networks. However, the security firm Infoblox said a recent\r\nreview of its customer traffic found nearly 25 percent of them made a query to a Kimwolf-related domain name\r\nsince October 1, 2025, when the botnet first showed signs of life.\r\nInfoblox found the affected customers are based all over the world and in a wide range of industry verticals, from\r\neducation and healthcare to government and finance.\r\n“To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a\r\nresidential proxy service targeted by Kimwolf operators,” Infoblox explained. “Such a device, maybe a phone or a\r\nlaptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query\r\nmeans a scan was made, not that new devices were compromised. Lateral movement would fail if there were no\r\nvulnerable devices to be found or if the DNS resolution was blocked.”\r\nSynthient, a startup that tracks proxy services and was the first to disclose on January 2 the unique methods\r\nKimwolf uses to spread, found proxy endpoints from IPIDEA were present in alarming numbers at government\r\nand academic institutions worldwide. Synthient said it spied at least 33,000 affected Internet addresses at\r\nuniversities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.\r\nThe top 50 domain names sought out by users of IPIDEA’s residential proxy service, according to Synthient.\r\nIn a webinar on January 16, experts at the proxy tracking service Spur profiled Internet addresses associated with\r\nIPIDEA and 10 other proxy services that were thought to be vulnerable to Kimwolf’s tricks. Spur found\r\nresidential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare\r\ncompanies or hospitals, and 141 companies in banking and finance.\r\nhttps://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/\r\nPage 3 of 4\n\n“I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S.\r\nDepartment of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located\r\ninside of it,” Spur Co-Founder Riley Kilmer said. “I don’t know how these enterprises have these networks set\r\nup. It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t\r\nreally mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to\r\nthe proxy would have access to.”\r\nKilmer said Kimwolf demonstrates how a single residential proxy infection can quickly lead to bigger problems\r\nfor organizations that are harboring unsecured devices behind their firewalls, noting that proxy services present a\r\npotentially simple way for attackers to probe other devices on the local network of a targeted organization.\r\n“If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out\r\nof and then locally pivot,” Kilmer said. “If you have an idea of where to start or look, now you have a foothold in\r\na company or an enterprise based on just that.”\r\nThis is the third story in our series on the Kimwolf botnet. Next week, we’ll shed light on the myriad China-based\r\nindividuals and companies connected to the Badbox 2.0 botnet, the collective name given to a vast number of\r\nAndroid TV streaming box models that ship with no discernible security or authentication built-in, and with\r\nresidential proxy malware pre-installed.\r\nFurther reading:\r\nThe Kimwolf Botnet is Stalking Your Local Network\r\nWho Benefitted from the Aisuru and Kimwolf Botnets?\r\nA Broken System Fueling Botnets (Synthient).\r\nSource: https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/\r\nhttps://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/"
	],
	"report_names": [
		"kimwolf-botnet-lurking-in-corporate-govt-networks"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439101,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26ef924adeade327e0db50d6f57fe7e704b3b2fc.pdf",
		"text": "https://archive.orkl.eu/26ef924adeade327e0db50d6f57fe7e704b3b2fc.txt",
		"img": "https://archive.orkl.eu/26ef924adeade327e0db50d6f57fe7e704b3b2fc.jpg"
	}
}