{
	"id": "a71e4fa1-1d77-4821-afd4-314c414a6114",
	"created_at": "2026-04-06T00:17:21.622664Z",
	"updated_at": "2026-04-10T13:12:32.498793Z",
	"deleted_at": null,
	"sha1_hash": "ede8fc1053850dd8cf031817126b2c9e5e314e17",
	"title": "Kimwolf Android Botnet Grows Through Residential Proxy Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73135,
	"plain_text": "Kimwolf Android Botnet Grows Through Residential Proxy\r\nNetworks\r\nBy Ionut Arghire\r\nPublished: 2026-01-05 · Archived: 2026-04-05 20:39:42 UTC\r\nThe Kimwolf botnet has infected over 2 million Android devices, mainly through residential proxy\r\nnetworks, cybersecurity firm Synthient says.\r\nActive since at least August 2025, the Kimwolf botnet was recently detailed by XLab, which warned that it could\r\nlaunch massive distributed denial-of-service (DDoS) attacks.\r\nMainly consisting of Android TV set-top boxes deployed on residential networks, Kimwolf provides its operators\r\nwith other monetization opportunities as well, including application installs and the selling of proxy bandwidth,\r\nSynthient explains.\r\nAccording to the cybersecurity firm, the botnet’s size may be much larger than previously estimated, with roughly\r\n12 million unique IP addresses associated with it seen every week.\r\nSynthient cautiously estimates that Kimwolf has infected just over 2 million devices, mainly through the\r\nexploitation of an exposed Android Debug Bridge (ADB) service. Many of these devices are in Vietnam, Brazil,\r\nIndia, and Saudi Arabia.\r\nThe botnet grew fast over the past two months, due to a novel technique targeting residential proxy networks, with\r\nmany of the infections associated with proxy IP addresses offered for rent by China-based IPIDEA, one of the\r\nlargest residential proxy networks in the world.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/\r\nPage 1 of 2\n\nAs investigative journalist Brian Krebs points out, the botnet mainly targets unofficial Android TV boxes that\r\ncome at low prices, but which come with insecure components and often require users to install software that turns\r\nthem into proxy nodes.\r\nSynthient’s investigation revealed that many of the newly ensnared devices were sold pre-infected with malware.\r\nInstead of IPIDEA’s legitimate binaries, they contained modified ones that turned them into Kimwolf bots.\r\nIn late December, IPIDEA deployed a patch to address the underlying issue and block access to numerous exposed\r\nports.\r\n“We sent 11 vulnerability emails on December 17 to the top proxy providers. Each notified provider was impacted\r\nto varying degrees, with a significant portion allowing access to devices on the local network,” Synthient notes.\r\n“Synthient’s Research Team is unable to assess with confidence the complete list of targeted providers by\r\nKimwolf. Current evidence indicates that IPIDEA was the main target because it enabled access to all ports,” the\r\ncybersecurity firm continues.\r\nIn addition to abusing the infected devices in DDoS attacks of around 30Tbps (such attacks have been mistakenly\r\nattributed to Aisuru), Kimwolf’s operators also engage in aggressive sales of residential proxies, for as low as 0.20\r\ncents per Gb.\r\n“The discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs like\r\nByteconnect indicates a deepening relationship between threat actors and commercial proxy providers. While the\r\ncollaboration with IPIDEA led to a successful patch, the broader landscape remains precarious,” Synthient notes.\r\nRelated: RondoDox Botnet Exploiting React2Shell Vulnerability\r\nRelated: New ‘Broadside’ Botnet Poses Risk to Shipping Companies\r\nRelated: Exposed Docker APIs Likely Exploited to Build Botnet\r\nRelated: RapperBot Botnet Disrupted, American Administrator Indicted\r\nSource: https://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/\r\nhttps://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/"
	],
	"report_names": [
		"kimwolf-android-botnet-grows-through-residential-proxy-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ede8fc1053850dd8cf031817126b2c9e5e314e17.pdf",
		"text": "https://archive.orkl.eu/ede8fc1053850dd8cf031817126b2c9e5e314e17.txt",
		"img": "https://archive.orkl.eu/ede8fc1053850dd8cf031817126b2c9e5e314e17.jpg"
	}
}