{
	"id": "d6061983-2f01-4007-91ae-9d836856febf",
	"created_at": "2026-04-06T00:18:46.219594Z",
	"updated_at": "2026-04-10T13:12:12.843698Z",
	"deleted_at": null,
	"sha1_hash": "491dc92858cec397931b0dbf07bf3d4518f96881",
	"title": "The Kimwolf Botnet is Stalking Your Local Network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1944230,
	"plain_text": "The Kimwolf Botnet is Stalking Your Local Network\r\nPublished: 2026-01-02 · Archived: 2026-04-05 22:23:46 UTC\r\nThe story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory.\r\nThe vulnerability at issue has been exploited for months already, and it’s time for a broader awareness of the\r\nthreat. The short version is that everything you thought you knew about the security of the internal network behind\r\nyour Internet router probably is now dangerously out of date.\r\nThe security company Synthient currently sees more than 2 million infected Kimwolf devices distributed globally\r\nbut with concentrations in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Synthient found that\r\ntwo-thirds of the Kimwolf infections are Android TV boxes with no security or authentication built in.\r\nThe past few months have witnessed the explosive growth of a new botnet dubbed Kimwolf, which experts say\r\nhas infected more than 2 million devices globally. The Kimwolf malware forces compromised systems to relay\r\nmalicious and abusive Internet traffic — such as ad fraud, account takeover attempts and mass content scraping —\r\nand participate in crippling distributed denial-of-service (DDoS) attacks capable of knocking nearly any website\r\noffline for days at a time.\r\nMore important than Kimwolf’s staggering size, however, is the diabolical method it uses to spread so quickly: By\r\neffectively tunneling back through various “residential proxy” networks and into the local networks of the proxy\r\nendpoints, and by further infecting devices that are hidden behind the assumed protection of the user’s firewall\r\nand Internet router.\r\nResidential proxy networks are sold as a way for customers to anonymize and localize their Web traffic to a\r\nspecific region, and the biggest of these services allow customers to route their traffic through devices in virtually\r\nany country or city around the globe.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 1 of 14\n\nThe malware that turns an end-user’s Internet connection into a proxy node is often bundled with dodgy mobile\r\napps and games. These residential proxy programs also are commonly installed via unofficial Android TV\r\nboxes sold by third-party merchants on popular e-commerce sites like Amazon, BestBuy, Newegg, and Walmart.\r\nThese TV boxes range in price from $40 to $400, are marketed under a dizzying range of no-name brands and\r\nmodel numbers, and frequently are advertised as a way to stream certain types of subscription video content for\r\nfree. But there’s a hidden cost to this transaction: As we’ll explore in a moment, these TV boxes make up a\r\nconsiderable chunk of the estimated two million systems currently infected with Kimwolf.\r\nSome of the unsanctioned Android TV boxes that come with residential proxy malware pre-installed. Image:\r\nSynthient.\r\nKimwolf also is quite good at infecting a range of Internet-connected digital photo frames that likewise are\r\nabundant at major e-commerce websites. In November 2025, researchers from Quokka published a report (PDF)\r\ndetailing serious security issues in Android-based digital picture frames running the Uhale app — including\r\nAmazon’s bestselling digital frame as of March 2025.\r\nThere are two major security problems with these photo frames and unofficial Android TV boxes. The first is that\r\na considerable percentage of them come with malware pre-installed, or else require the user to download an\r\nunofficial Android App Store and malware in order to use the device for its stated purpose (video content piracy).\r\nThe most typical of these uninvited guests are small programs that turn the device into a residential proxy node\r\nthat is resold to others.\r\nThe second big security nightmare with these photo frames and unsanctioned Android TV boxes is that they rely\r\non a handful of Internet-connected microcomputer boards that have no discernible security or authentication\r\nrequirements built-in. In other words, if you are on the same network as one or more of these devices, you can\r\nlikely compromise them simultaneously by issuing a single command across the network.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 2 of 14\n\nTHERE’S NO PLACE LIKE 127.0.0.1\r\nThe combination of these two security realities came to the fore in October 2025, when an undergraduate\r\ncomputer science student at the Rochester Institute of Technology began closely tracking Kimwolf’s growth,\r\nand interacting directly with its apparent creators on a daily basis.\r\nBenjamin Brundage is the 22-year-old founder of the security firm Synthient, a startup that helps companies\r\ndetect proxy networks and learn how those networks are being abused. Conducting much of his research into\r\nKimwolf while studying for final exams, Brundage told KrebsOnSecurity in late October 2025 he suspected\r\nKimwolf was a new Android-based variant of Aisuru, a botnet that was incorrectly blamed for a number of\r\nrecord-smashing DDoS attacks last fall.\r\nBrundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential\r\nproxy services. The crux of the weakness, he explained, was that these proxy services weren’t doing enough to\r\nprevent their customers from forwarding requests to internal servers of the individual proxy endpoints.\r\nMost proxy services take basic steps to prevent their paying customers from “going upstream” into the local\r\nnetwork of proxy endpoints, by explicitly denying requests for local addresses specified in RFC-1918, including\r\nthe well-known Network Address Translation (NAT) ranges 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12. These\r\nranges allow multiple devices in a private network to access the Internet using a single public IP address, and if\r\nyou run any kind of home or office network, your internal address space operates within one or more of these NAT\r\nranges.\r\nHowever, Brundage discovered that the people operating Kimwolf had figured out how to talk directly to devices\r\non the internal networks of millions of residential proxy endpoints, simply by changing their Domain Name\r\nSystem (DNS) settings to match those in the RFC-1918 address ranges.\r\n“It is possible to circumvent existing domain restrictions by using DNS records that point to 192.168.0.1 or\r\n0.0.0.0,” Brundage wrote in a first-of-its-kind security advisory sent to nearly a dozen residential proxy providers\r\nin mid-December 2025. “This grants an attacker the ability to send carefully crafted requests to the current device\r\nor a device on the local network. This is actively being exploited, with attackers leveraging this functionality to\r\ndrop malware.”\r\nAs with the digital photo frames mentioned above, many of these residential proxy services run solely on mobile\r\ndevices that are running some game, VPN or other app with a hidden component that turns the user’s mobile\r\nphone into a residential proxy — often without any meaningful consent.\r\nIn a report published today, Synthient said key actors involved in Kimwolf were observed monetizing the botnet\r\nthrough app installs, selling residential proxy bandwidth, and selling its DDoS functionality.\r\n“Synthient expects to observe a growing interest among threat actors in gaining unrestricted access to proxy\r\nnetworks to infect devices, obtain network access, or access sensitive information,” the report observed. “Kimwolf\r\nhighlights the risks posed by unsecured proxy networks and their viability as an attack vector.”\r\nANDROID DEBUG BRIDGE\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 3 of 14\n\nAfter purchasing a number of unofficial Android TV box models that were most heavily represented in the\r\nKimwolf botnet, Brundage further discovered the proxy service vulnerability was only part of the reason for\r\nKimwolf’s rapid rise: He also found virtually all of the devices he tested were shipped from the factory with a\r\npowerful feature called Android Debug Bridge (ADB) mode enabled by default.\r\nMany of the unofficial Android TV boxes infected by Kimwolf include the ominous disclaimer: “Made in China.\r\nOverseas use only.” Image: Synthient.\r\nADB is a diagnostic tool intended for use solely during the manufacturing and testing processes, because it allows\r\nthe devices to be remotely configured and even updated with new (and potentially malicious) firmware. However,\r\nshipping these devices with ADB turned on creates a security nightmare because in this state they constantly listen\r\nfor and accept unauthenticated connection requests.\r\nFor example, opening a command prompt and typing “adb connect” along with a vulnerable device’s (local) IP\r\naddress followed immediately by “:5555” will very quickly offer unrestricted “super user” administrative access.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 4 of 14\n\nBrundage said by early December, he’d identified a one-to-one overlap between new Kimwolf infections and\r\nproxy IP addresses offered for rent by China-based IPIDEA, currently the world’s largest residential proxy\r\nnetwork by all accounts.\r\n“Kimwolf has almost doubled in size this past week, just by exploiting IPIDEA’s proxy pool,” Brundage told\r\nKrebsOnSecurity in early December as he was preparing to notify IPIDEA and 10 other proxy providers about his\r\nresearch.\r\nBrundage said Synthient first confirmed on December 1, 2025 that the Kimwolf botnet operators were tunneling\r\nback through IPIDEA’s proxy network and into the local networks of systems running IPIDEA’s proxy software.\r\nThe attackers dropped the malware payload by directing infected systems to visit a specific Internet address and to\r\ncall out the pass phrase “krebsfiveheadindustries” in order to unlock the malicious download.\r\nOn December 30, Synthient said it was tracking roughly 2 million IPIDEA addresses exploited by Kimwolf in the\r\nprevious week. Brundage said he has witnessed Kimwolf rebuilding itself after one recent takedown effort\r\ntargeting its control servers — from almost nothing to two million infected systems just by tunneling through\r\nproxy endpoints on IPIDEA for a couple of days.\r\nBrundage said IPIDEA has a seemingly inexhaustible supply of new proxies, advertising access to more than 100\r\nmillion residential proxy endpoints around the globe in the past week alone. Analyzing the exposed devices that\r\nwere part of IPIDEA’s proxy pool, Synthient said it found more than two-thirds were Android devices that could\r\nbe compromised with no authentication needed.\r\nSECURITY NOTIFICATION AND RESPONSE\r\nAfter charting a tight overlap in Kimwolf-infected IP addresses and those sold by IPIDEA, Brundage was eager to\r\nmake his findings public: The vulnerability had clearly been exploited for several months, although it appeared\r\nthat only a handful of cybercrime actors were aware of the capability. But he also knew that going public without\r\ngiving vulnerable proxy providers an opportunity to understand and patch it would only lead to more mass abuse\r\nof these services by additional cybercriminal groups.\r\nOn December 17, Brundage sent a security notification to all 11 of the apparently affected proxy providers, hoping\r\nto give each at least a few weeks to acknowledge and address the core problems identified in his report before he\r\nwent public. Many proxy providers who received the notification were resellers of IPIDEA that white-labeled the\r\ncompany’s service.\r\nKrebsOnSecurity first sought comment from IPIDEA in October 2025, in reporting on a story about how the\r\nproxy network appeared to have benefitted from the rise of the Aisuru botnet, whose administrators appeared to\r\nshift from using the botnet primarily for DDoS attacks to simply installing IPIDEA’s proxy program, among\r\nothers.\r\nOn December 25, KrebsOnSecurity received an email from an IPIDEA employee identified only as “Oliver,” who\r\nsaid allegations that IPIDEA had benefitted from Aisuru’s rise were baseless.\r\n“After comprehensively verifying IP traceability records and supplier cooperation agreements, we found no\r\nassociation between any of our IP resources and the Aisuru botnet, nor have we received any notifications from\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 5 of 14\n\nauthoritative institutions regarding our IPs being involved in malicious activities,” Oliver wrote. “In addition, for\r\nexternal cooperation, we implement a three-level review mechanism for suppliers, covering qualification\r\nverification, resource legality authentication and continuous dynamic monitoring, to ensure no compliance risks\r\nthroughout the entire cooperation process.”\r\n“IPIDEA firmly opposes all forms of unfair competition and malicious smearing in the industry, always\r\nparticipates in market competition with compliant operation and honest cooperation, and also calls on the entire\r\nindustry to jointly abandon irregular and unethical behaviors and build a clean and fair market ecosystem,” Oliver\r\ncontinued.\r\nMeanwhile, the same day that Oliver’s email arrived, Brundage shared a response he’d just received from\r\nIPIDEA’s security officer, who identified himself only by the first name Byron. The security officer said IPIDEA\r\nhad made a number of important security changes to its residential proxy service to address the vulnerability\r\nidentified in Brundage’s report.\r\n“By design, the proxy service does not allow access to any internal or local address space,” Byron explained.\r\n“This issue was traced to a legacy module used solely for testing and debugging purposes, which did not fully\r\ninherit the internal network access restrictions. Under specific conditions, this module could be abused to reach\r\ninternal resources. The affected paths have now been fully blocked and the module has been taken offline.”\r\nByron told Brundage IPIDEA also instituted multiple mitigations for blocking DNS resolution to internal (NAT)\r\nIP ranges, and that it was now blocking proxy endpoints from forwarding traffic on “high-risk” ports “to prevent\r\nabuse of the service for scanning, lateral movement, or access to internal services.”\r\nAn excerpt from an email sent by IPIDEA’s security officer in response to Brundage’s vulnerability notification.\r\nClick to enlarge.\r\nBrundage said IPIDEA appears to have successfully patched the vulnerabilities he identified. He also noted he\r\nnever observed the Kimwolf actors targeting proxy services other than IPIDEA, which has not responded to\r\nrequests for comment.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 6 of 14\n\nRiley Kilmer is founder of Spur.us, a technology firm that helps companies identify and filter out proxy traffic.\r\nKilmer said Spur has tested Brundage’s findings and confirmed that IPIDEA and all of its affiliate resellers indeed\r\nallowed full and unfiltered access to the local LAN.\r\nKilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we\r\nprofiled in November’s Is Your Android TV Streaming Box Part of a Botnet? — leaves Android Debug Mode\r\nrunning on localhost:5555.\r\n“And since Superbox turns the IP into an IPIDEA proxy, a bad actor just has to use the proxy to localhost on that\r\nport and install whatever bad SDKs [software development kits] they want,” Kilmer told KrebsOnSecurity.\r\nSuperbox media streaming boxes for sale on Walmart.com.\r\nECHOES FROM THE PAST\r\nBoth Brundage and Kilmer say IPIDEA appears to be the second or third reincarnation of a residential proxy\r\nnetwork formerly known as 911S5 Proxy, a service that operated between 2014 and 2022 and was wildly popular\r\non cybercrime forums. 911S5 Proxy imploded a week after KrebsOnSecurity published a deep dive on the\r\nservice’s sketchy origins and leadership in China.\r\nIn that 2022 profile, we cited work by researchers at the University of Sherbrooke in Canada who were studying\r\nthe threat 911S5 could pose to internal corporate networks. The researchers noted that “the infection of a node\r\nenables the 911S5 user to access shared resources on the network such as local intranet portals or other services.”\r\n“It also enables the end user to probe the LAN network of the infected node,” the researchers explained. “Using\r\nthe internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling\r\nfurther attacks.”\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 7 of 14\n\n911S5 initially responded to our reporting in 2022 by claiming it was conducting a top-down security review of\r\nthe service. But the proxy service abruptly closed up shop just one week later, saying a malicious hacker had\r\ndestroyed all of the company’s customer and payment records. In July 2024, The U.S. Department of the\r\nTreasury sanctioned the alleged creators of 911S5, and the U.S. Department of Justice arrested the Chinese\r\nnational named in my 2022 profile of the proxy service.\r\nKilmer said IPIDEA also operates a sister service called 922 Proxy, which the company has pitched from Day\r\nOne as a seamless alternative to 911S5 Proxy.\r\n“You cannot tell me they don’t want the 911 customers by calling it that,” Kilmer said.\r\nAmong the recipients of Synthient’s notification was the proxy giant Oxylabs. Brundage shared an email he\r\nreceived from Oxylabs’ security team on December 31, which acknowledged Oxylabs had started rolling out\r\nsecurity modifications to address the vulnerabilities described in Synthient’s report.\r\nReached for comment, Oxylabs confirmed they “have implemented changes that now eliminate the ability to\r\nbypass the blocklist and forward requests to private network addresses using a controlled domain.” But it said\r\nthere is no evidence that Kimwolf or other other attackers exploited its network.\r\n“In parallel, we reviewed the domains identified in the reported exploitation activity and did not observe traffic\r\nassociated with them,” the Oxylabs statement continued. “Based on this review, there is no indication that our\r\nresidential network was impacted by these activities.”\r\nPRACTICAL IMPLICATIONS\r\nConsider the following scenario, in which the mere act of allowing someone to use your Wi-Fi network could lead\r\nto a Kimwolf botnet infection. In this example, a friend or family member comes to stay with you for a few days,\r\nand you grant them access to your Wi-Fi without knowing that their mobile phone is infected with an app that\r\nturns the device into a residential proxy node. At that point, your home’s public IP address will show up for rent at\r\nthe website of some residential proxy provider.\r\nMiscreants like those behind Kimwolf then use residential proxy services online to access that proxy node on your\r\nIP, tunnel back through it and into your local area network (LAN), and automatically scan the internal network for\r\ndevices with Android Debug Bridge mode turned on.\r\nBy the time your guest has packed up their things, said their goodbyes and disconnected from your Wi-Fi, you\r\nnow have two devices on your local network — a digital photo frame and an unsanctioned Android TV box —\r\nthat are infected with Kimwolf. You may have never intended for these devices to be exposed to the larger\r\nInternet, and yet there you are.\r\nHere’s another possible nightmare scenario: Attackers use their access to proxy networks to modify your Internet\r\nrouter’s settings so that it relies on malicious DNS servers controlled by the attackers — allowing them to control\r\nwhere your Web browser goes when it requests a website. Think that’s far-fetched? Recall the DNSChanger\r\nmalware from 2012 that infected more than a half-million routers with search-hijacking malware, and ultimately\r\nspawned an entire security industry working group focused on containing and eradicating it.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 8 of 14\n\nXLAB\r\nMuch of what is published so far on Kimwolf has come from the Chinese security firm XLab, which was the first\r\nto chronicle the rise of the Aisuru botnet in late 2024. In its latest blog post, XLab said it began tracking Kimwolf\r\non October 24, when the botnet’s control servers were swamping Cloudflare’s DNS servers with lookups for the\r\ndistinctive domain 14emeliaterracewestroxburyma02132[.]su.\r\nThis domain and others connected to early Kimwolf variants spent several weeks topping Cloudflare’s chart of the\r\nInternet’s most sought-after domains, edging out Google.com and Apple.com of their rightful spots in the top 5\r\nmost-requested domains. That’s because during that time Kimwolf was asking its millions of bots to check in\r\nfrequently using Cloudflare’s DNS servers.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 9 of 14\n\nThe Chinese security firm XLab found the Kimwolf botnet had enslaved between 1.8 and 2 million devices, with\r\nheavy concentrations in Brazil, India, The United States of America and Argentina. Image: blog.xLab.qianxin.com\r\nIt is clear from reading the XLab report that KrebsOnSecurity (and security experts) probably erred in\r\nmisattributing some of Kimwolf’s early activities to the Aisuru botnet, which appears to be operated by a different\r\ngroup entirely. IPDEA may have been truthful when it said it had no affiliation with the Aisuru botnet, but\r\nBrundage’s data left no doubt that its proxy service clearly was being massively abused by Aisuru’s Android\r\nvariant, Kimwolf.\r\nXLab said Kimwolf has infected at least 1.8 million devices, and has shown it is able to rebuild itself quickly from\r\nscratch.\r\n“Analysis indicates that Kimwolf’s primary infection targets are TV boxes deployed in residential network\r\nenvironments,” XLab researchers wrote. “Since residential networks usually adopt dynamic IP allocation\r\nmechanisms, the public IPs of devices change over time, so the true scale of infected devices cannot be accurately\r\nmeasured solely by the quantity of IPs. In other words, the cumulative observation of 2.7 million IP addresses\r\ndoes not equate to 2.7 million infected devices.”\r\nXLab said measuring Kimwolf’s size also is difficult because infected devices are distributed across multiple\r\nglobal time zones. “Affected by time zone differences and usage habits (e.g., turning off devices at night, not\r\nusing TV boxes during holidays, etc.), these devices are not online simultaneously, further increasing the difficulty\r\nof comprehensive observation through a single time window,” the blog post observed.\r\nXLab noted that the Kimwolf author shows an almost ‘obsessive’ fixation” on Yours Truly, apparently leaving\r\n“easter eggs” related to my name in multiple places through the botnet’s code and communications:\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 10 of 14\n\nImage: XLAB.\r\nANALYSIS AND ADVICE\r\nOne frustrating aspect of threats like Kimwolf is that in most cases it is not easy for the average user to determine\r\nif there are any devices on their internal network which may be vulnerable to threats like Kimwolf and/or already\r\ninfected with residential proxy malware.\r\nLet’s assume that through years of security training or some dark magic you can successfully identify that\r\nresidential proxy activity on your internal network was linked to a specific mobile device inside your house: From\r\nthere, you’d still need to isolate and remove the app or unwanted component that is turning the device into a\r\nresidential proxy.\r\nAlso, the tooling and knowledge needed to achieve this kind of visibility just isn’t there from an average consumer\r\nstandpoint. The work that it takes to configure your network so you can see and interpret logs of all traffic coming\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 11 of 14\n\nin and out is largely beyond the skillset of most Internet users (and, I’d wager, many security experts). But it’s a\r\ntopic worth exploring in an upcoming story.\r\nHappily, Synthient has erected a page on its website that will state whether a visitor’s public Internet address was\r\nseen among those of Kimwolf-infected systems. Brundage also has compiled a list of the unofficial Android TV\r\nboxes that are most highly represented in the Kimwolf botnet.\r\nIf you own a TV box that matches one of these model names and/or numbers, please just rip it out of your\r\nnetwork. If you encounter one of these devices on the network of a family member or friend, send them a link to\r\nthis story and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.\r\nThe top 15 product devices represented in the Kimwolf botnet, according to Synthient.\r\nChad Seaman is a principal security researcher with Akamai Technologies. Seaman said he wants more\r\nconsumers to be wary of these pseudo Android TV boxes to the point where they avoid them altogether.\r\n“I want the consumer to be paranoid of these crappy devices and of these residential proxy schemes,” he said. “We\r\nneed to highlight why they’re dangerous to everyone and to the individual. The whole security model where\r\npeople think their LAN (Local Internal Network) is safe, that there aren’t any bad guys on the LAN so it can’t be\r\nthat dangerous is just really outdated now.”\r\n“The idea that an app can enable this type of abuse on my network and other networks, that should really give you\r\npause,” about which devices to allow onto your local network, Seaman said. “And it’s not just Android devices\r\nhere. Some of these proxy services have SDKs for Mac and Windows, and the iPhone. It could be running\r\nsomething that inadvertently cracks open your network and lets countless random people inside.”\r\nIn July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants collectively dubbed the\r\n“BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million unsanctioned Android\r\nstreaming devices engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 12 of 14\n\ncompromising multiple types of devices prior to purchase, also can infect devices by requiring the download of\r\nmalicious apps from unofficial marketplaces.\r\nGoogle’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI),\r\nwhich warned that cyber criminals were gaining unauthorized access to home networks by either configuring the\r\nproducts with malware prior to the user’s purchase, or infecting the device as it downloads required applications\r\nthat contain backdoors — usually during the set-up process.\r\nThe FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The\r\noriginal BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were\r\ncompromised with backdoor malware prior to purchase.\r\nLindsay Kaye is vice president of threat intelligence at HUMAN Security, a company that worked closely on the\r\nBADBOX investigations. Kaye said the BADBOX botnets and the residential proxy networks that rode on top of\r\ncompromised devices were detected because they enabled a ridiculous amount of advertising fraud, as well as\r\nticket scalping, retail fraud, account takeovers and content scraping.\r\nKaye said consumers should stick to known brands when it comes to purchasing things that require a wired or\r\nwireless connection.\r\n“If people are asking what they can do to avoid being victimized by proxies, it’s safest to stick with name brands,”\r\nKaye said. “Anything promising something for free or low-cost, or giving you something for nothing just isn’t\r\nworth it. And be careful about what apps you allow on your phone.”\r\nMany wireless routers these days make it relatively easy to deploy a “Guest” wireless network on-the-fly. Doing\r\nso allows your guests to browse the Internet just fine but it blocks their device from being able to talk to other\r\ndevices on the local network — such as shared folders, printers and drives. If someone — a friend, family\r\nmember, or contractor — requests access to your network, give them the guest Wi-Fi network credentials if you\r\nhave that option.\r\nThere is a small but vocal pro-piracy camp that is almost condescendingly dismissive of the security threats posed\r\nby these unsanctioned Android TV boxes. These tech purists positively chafe at the idea of people wholesale\r\ndiscarding one of these TV boxes. A common refrain from this camp is that Internet-connected devices are not\r\ninherently bad or good, and that even factory-infected boxes can be flashed with new firmware or custom ROMs\r\nthat contain no known dodgy software.\r\nHowever, it’s important to point out that the majority of people buying these devices are not security or hardware\r\nexperts; the devices are sought out because they dangle something of value for “free.” Most buyers have no idea\r\nof the bargain they’re making when plugging one of these dodgy TV boxes into their network.\r\nIt is somewhat remarkable that we haven’t yet seen the entertainment industry applying more visible pressure on\r\nthe major e-commerce vendors to stop peddling this insecure and actively malicious hardware that is largely made\r\nand marketed for video piracy. These TV boxes are a public nuisance for bundling malicious software while\r\nhaving no apparent security or authentication built-in, and these two qualities make them an attractive nuisance for\r\ncybercriminals.\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 13 of 14\n\nStay tuned for Part II in this series, which will poke through clues left behind by the people who appear to have\r\nbuilt Kimwolf and benefited from it the most.\r\nSource: https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nhttps://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/"
	],
	"report_names": [
		"the-kimwolf-botnet-is-stalking-your-local-network"
	],
	"threat_actors": [],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/491dc92858cec397931b0dbf07bf3d4518f96881.pdf",
		"text": "https://archive.orkl.eu/491dc92858cec397931b0dbf07bf3d4518f96881.txt",
		"img": "https://archive.orkl.eu/491dc92858cec397931b0dbf07bf3d4518f96881.jpg"
	}
}