{
	"id": "e4e7410e-ebaf-4f5c-b8ce-11b9ac2d0b7f",
	"created_at": "2026-04-06T01:32:37.506648Z",
	"updated_at": "2026-04-10T13:11:38.103041Z",
	"deleted_at": null,
	"sha1_hash": "fa0c29ae6ae80a079fff181d655368e3d1967298",
	"title": "A Broken System Fueling Botnets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3769544,
	"plain_text": "A Broken System Fueling Botnets\r\nBy Synthient Research\r\nPublished: 2026-01-02 · Archived: 2026-04-06 00:30:40 UTC\r\nWarning: To maintain the historical and technical accuracy of the systems discussed, some of the original code and\r\ndocumentation included below contain offensive terminology. This language is preserved only to provide a\r\ncomprehensive report on the subject matter.\r\nExecutive Summary\r\nSynthient continues to track the Kimwolf DDoS and proxy botnet with this report, delivering significant findings\r\non the inner workings, infection chain, and reliance on the residential proxy ecosystem. Kimwolf has been highly\r\nactive since early August of 2025, with substantial growth over the past four months. The Synthient’s research\r\nteam assesses with high confidence that the total number of infected devices has surpassed 2 million, primarily\r\ntargeting Android devices running an exposed Android Debug Bridge (ADB) service via residential proxies. These\r\nfindings further reveal an expansive network of compromised TV streaming devices used by providers to obtain\r\nlarge pools of IP addresses.\r\nGiven Kimwolf's reliance on residential proxies for infections, we advise all proxy providers to block high-risk\r\nports and restrict access to the local network. Users should check whether they are affected by visiting\r\nsynthient.com/check. Infected TV boxes should be wiped or destroyed. Organizations should block connections to\r\nthe referenced C2 servers and domains, and monitor network traffic for suspicious activity.\r\nSynthient expects to observe a growing interest among threat actors in gaining unrestricted access to proxy\r\nnetworks to infect devices, obtain network access, or access sensitive information. Kimwolf highlights the risks\r\nposed by unsecured proxy networks and their viability as an attack vector.\r\nBackground\r\nKimwolf, the android variant of the Aisuru DDoS Botnet, has grown to at least 2 million compromised devices\r\nover several months through its novel exploitation of residential proxy networks. Kimwolf remains a significant\r\nthreat to organizations, as it continues to launch Distributed Denial-of-Service (DDoS) attacks, with Cloudflare\r\nreporting peak attack rates of 29.7 Tbps or 14.1 Bpps. Key actors involved in the Kimwolf botnet are observed\r\nmonetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality.\r\nOver the last 3 months, Synthient’s Research Team has conducted a comprehensive investigation of Kimwolf,\r\nrevealing key insights into the group's operations.\r\nInfection through Residential Proxies\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 1 of 12\n\nKimwolf’s rapid growth can be attributed to its targeting of vulnerable devices through its novel exploitation of\r\nresidential proxy networks. Our honeypot network saw an increase in targeting of the domain xd[.]resi[.]to\r\non November 12th from IPIDEAs proxy network. This domain notably resolves to 0[.]0[.]0[.]0, which points\r\nto the device running the proxy SDK.\r\nFig 1 Kimwolf Scanning Infrastructure\r\nSynthient’s Research Team captured the following payload on December 1st, confirming the active exploitation of\r\nresidential proxy networks.\r\nThis payload expands to the following bash script.\r\nSynthient would capture four additional payloads, each making slight adjustments to the Kimwolf botnet, either to\r\nits protocol, C2 servers, or binaries.\r\nDecember 11th\r\nDecember 14th\r\nDecember 25th\r\nDecember 27th\r\nDecember 28th [EDIT]\r\nAt the time of publishing our report we received one more sample. We've decided to include this in the report to\r\nfurther disrupt their operations.\r\nDuring this period, the Kimwolf actors used a variety of domains and methods to circumvent restrictions and\r\ncompromise devices. The following is an exhaustive list of domains and IPs observed targeting the residential\r\nproxy providers. (EDIT: Do not import this as a list of IOCs unless you are a proxy provider, please refer to the\r\niOCs section of this report if you are an organization.)\r\nDomains:\r\nlocalhost\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 2 of 12\n\n127[.]0[.]0[.]0\r\n127[.]0[.]0[.]1\r\n127[.]0[.]0[.]2\r\n0[.]0[.]0[.]0\r\nxd[.]resi[.]to\r\nxd[.]mob[.]to\r\nonetwoseven[.]14emeliaterracewestroxburyma02132[.]su\r\nlolxd[.]713mtauburnctcolumbusoh43085[.]st\r\nTargeted Ports:\r\n3222\r\n5555\r\n5858\r\n12108\r\nKimwolf’s scanning of proxy networks was at an unprecedented scale, with them holding the number one position\r\nmany times for the most-targeted domain. Their scanning was often 24/7, with downtime limited to null routing or\r\ninfrastructure changes.\r\nFig 2. Synthient capturing the various Kimwolf scanning and exploitation attempts.\r\nInfection Demographic\r\nSynthient’s Research Team believes Kimwolfs' infected device count to be well above 2 million, with significant\r\nnumbers in Vietnam, Brazil, India, and Saudi Arabia. Even with their device count hovering around 2 million,\r\nSynthient’s Research Team observes around 12 million unique IP addresses per week for Kimwolf.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 3 of 12\n\nFig 3. Kimwolf geographic distribution of compromised devices.\r\nSynthient’s Research Team also received a screenshot from the backend Grafana instance in early November that\r\nmatches this distribution. Please note the massive growth in the past 2 months.\r\nFig 4. Kimwolf's internal Grafana instance.\r\nUpon analyzing exposed devices part of IPIDEAs proxy pool, we found that 67% of all Android devices are\r\nunauthenticated, leaving them vulnerable to remote code execution. From our scans, we found approximately 6\r\nmillion vulnerable IPs (i.e., unique IPv6 or IPv4 addresses). These devices are often shipped pre-infected with\r\nSDKs from proxy providers. Once part of the residential proxy pool, Kimwolf will have scanned and exploited the\r\ndevice within minutes.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 4 of 12\n\nFig 5. 67% of connected devices responding as unauthenticated.\r\nAn analysis of the infected device's product name (ro.product.name) yields the following stats. TV BOX,\r\nHiDPTAndroid, and SMART_TV are among the top compromised devices.\r\nFig 6. Top compromised product models.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 5 of 12\n\nAnalyzing the device name (ro.product.device), we see the following breakdown. The over-representation of\r\ndevices indicates they arrive pre-infected. Synthient’s Research Team purchased several devices from the list,\r\nwhich corroborated this theory, showing that the devices were already running a malicious proxy SDK.\r\nFig 7. Top compromised product devices.\r\nA complete breakdown of impacted devices can be found here.\r\nKimwolf Analysis\r\nXLab has published a comprehensive analysis of both V4 and V5 of the Kimwolf botnet. We refer to their\r\npublication for a complete analysis, as we will only cover changes to the latest Kimwolf botnet. Synthient\r\nreceived its final payload on December 27th before IPIDEA implemented a security patch. Due to IPIDEA's rapid\r\ndeployment of the security patch, the final payload from December 27th was successfully mitigated before a full\r\nbinary capture could be completed. As a result, the latest Kimwolf version downloaded was from December 25th.\r\nWhen the payload runs, the following script is executed. This installs the latest version of the Kimwolf binary.\r\nThese binaries are installed as “botless” and “com.abcproxy.sdk”. Please note that the threat actors named the\r\nbinary “com.abcproxy.sdk” to associate this activity with IPIDEA, which has no involvement with the Kimwolf\r\nactors.\r\nBoth binaries are almost identical, with the rolf binary making a slight difference in its TLS implementation.\r\nAdditionally, the libdevice[.]so binary uses an Android APK for delivery, whereas the botless binary is dropped to\r\nthe /rolf/ directory.\r\nFig 8. Android dropper executing Kimwolf\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 6 of 12\n\nOn execution, Kimwolf uses the environment variable xdrofl123 as a poor man's mutex to prevent multiple\r\nversions of the binary from running. If the variable is present, it prevents another instance from starting.\r\nFig 9. Running the Kimwolf binary\r\nIn this latest version, Kimwolf listens on port 40860 and connects to 85[.]234[.]91[.]247:1337 for commands.\r\nFig 10. Initial connection and heartbeat\r\nAnother notable update includes the significant expansion of Kimwolf L7 attacks. The new attacks use the tls-client and azuretls-client Go libraries to spoof TLS fingerprints and headers. The Config for L7 attacks is as\r\nfollows.\r\nThe complete Golang struct definitions for the Kimwolf botnet are documented here.\r\nByteconnect SDK\r\nIn addition to capturing the Kimwolf payload on December 14th, Synthient’s Research Team also observed the\r\ninstallation of the Plainproxies Byteconnect SDK (e465e625c1f85527e7082ff70dc479b5). This SDK offers a\r\nbandwidth monetization service, indicating that Kimwolf actors received payment for performing app installs on\r\ncompromised devices. This further highlights the threat actors' monetization attempts, in addition to the operation\r\nof their own proxy services.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 7 of 12\n\nFig 11. A \"clean, ethical monetization that your users wont even notice.\"\r\nThe ByteconnectSDK uses 119 relay servers that receive proxy tasks from a command-and-control server, which\r\nare then executed by the compromised device. These responses are sent back over the TCP socket.\r\nFig 12. Byteconnect connection and task flow.\r\nUpon connecting to the SDK, we observed an influx of credential-stuffing attacks targeting IMAP servers and\r\npopular online websites.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 8 of 12\n\nFig 13. Byteconnect credential stuffing.\r\nSynthient’s Research Team notified Plainproxies and has yet to receive any comment. The ByteconnectSDK\r\ncontinues to remain active on compromised devices.\r\nByteconnect Protocol\r\nRegistration Request\r\nTCP Registration Packet\r\nUDP Receive Task Packet\r\nUDP Get Task Packet\r\nNotifying Impacted Parties\r\nSynthient notified IPIDEA, which confirmed and successfully patched the vulnerability on December 28th. This\r\nupdate now prevents access to local network devices and blocks access to the following sensitive ports: 21, 22, 23,\r\n25, 69, 110, 139, 143, 161, 389, 465, 512, 513, 514, 587, 873, 993, 995, 1352, 1433, 1521, 2181, 2409, 3306,\r\n3389, 3690, 4848, 5000, 5432, 5632, 5900, 6532, 6379, 7001, 7002, 8069, 9200, 9300, 11211, 27017, 27018,\r\n50000, 5555, 5858, 12108, 3222, 1210, 5114.\r\nAs part of this research, we sent 11 vulnerability emails on December 17th to the top proxy providers. Each\r\nnotified provider was impacted to varying degrees, with a significant portion allowing access to devices on the\r\nlocal network. The scale of this vulnerability was unprecedented, exposing millions of devices to attacks.\r\nSynthient’s Research Team is unable to assess with confidence the complete list of targeted providers by Kimwolf.\r\nCurrent evidence indicates that IPIDEA was the main target because it enabled access to all ports.\r\nThe Proxy Ecosystem\r\nKimwolf’s monetization strategy became apparent early on through its aggressive sale of residential proxies. By\r\noffering proxies as low as 0.20 cents per GB or $1.4K a month for unlimited bandwidth, it would gain early\r\nadoption by several proxy providers.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 9 of 12\n\nFig 14. RESITO Discord Server and the selling of Kimwolf proxies in early October.\r\nSynthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors\r\nattempting to offload proxy bandwidth in exchange for upfront cash. This approach likely helped fuel early\r\ndevelopment, with associated members spending earnings on infrastructure and outsourced development tasks.\r\nPlease note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced.\r\nFig 15. Maskify, another provider heavily involved in the sales of Kimwolf proxies.\r\nThe aggressive tracking of Kimwolf helped create a novel dataset, enabling clients of Synthient to mitigate both\r\nDDoS and credential-stuffing attacks targeting their platform. Synthient actively tracks Kimwolf through the\r\nfollowing providers.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 10 of 12\n\nProxy Provider Synthient Tag Gateway\r\nhttps://discord[.]gg/ipv4 RESITO 172[.]93[.]102[.]243:80\r\nhttps://discord[.]gg/ipv4 RESITO 104[.]243[.]43[.]148:80\r\nhttps://discord[.]gg/ipv4 RESITO 104[.]243[.]41[.]180:80\r\nhttps://discord[.]gg/ipv4 RESITO 104[.]243[.]41[.]110:80\r\nhttps://discord[.]gg/ipv4 RESITO 80.75[.]212[.]10:80\r\nhttps://discord[.]gg/ipv4 RESITO 193[.]25[.]217[.]66\r\nhttps://maskify[.]su MASKIFY resi[.]maskify[.]su:80\r\nhttps://ptun[.]nl PTUNNL resi[.]ptun[.]nl:80\r\nhttps://flashproxy[.]com FLASHPROXY_LITE lite[.]flashproxy[.]io:6969\r\nSeveral larger proxy providers have also been observed mixing in Kimwolf proxies to increase the size of their\r\ncore pool.\r\nMitigation Strategies\r\nProxy Providers\r\nIf you are a proxy provider and want to test whether you are vulnerable, you can do so by issuing a request to the\r\ndomain amivulnerable.synthient.com. If you see a default router page, your proxy network is vulnerable. Proxy\r\nproviders should implement necessary fixes to block requests to RFC 1918 addresses.\r\nAdditionally, proxy providers should check whether they are affected by reviewing existing logs for requests to\r\nthe following domains.\r\nlocalhost\r\n127[.]0[.]0[.]0\r\n127[.]0[.]0[.]1\r\n127[.]0[.]0[.]2\r\n0[.]0[.]0[.]0\r\nxd[.]resi[.]to\r\nxd[.]mob[.]to\r\nonetwoseven[.]14emeliaterracewestroxburyma02132[.]su\r\nlolxd[.]713mtauburnctcolumbusoh43085[.]st\r\nVictims of Kimwolf\r\nUsers can check if they are a victim of the Kimwolf botnet on synthient.com/check. If flagged, we encourage the\r\nTV Box to be destroyed.\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 11 of 12\n\nOrganizations\r\nAudit Network \u0026 Devices: Reference the complete list of Indicators of Compromise (IOCs) and inspect\r\nyour network traffic and hardware for signs of infection.\r\nRemove High-Risk Hardware: Avoid keeping potentially vulnerable devices, specifically TV boxes, on\r\nyour network, as these are Kimwolf's primary targets.\r\nSecure ADB Shells: Lock down devices running unauthenticated ADB (Android Debug Bridge) shells to\r\nprevent unauthorized access.\r\nCheck for Proxy SDKs: Verify your IP address to ensure your system isn't running a proxy SDK\r\nunintentionally.\r\nObservables and IOCs\r\nA complete list of observables and IOCs are available on the Synthient GitHub.\r\nConclusion\r\nKimwolf highlights the significant risks posed by residential proxy networks, along with their sophisticated\r\noperations that exploit the \"gray market\" of the proxy ecosystem. The botnet’s unprecedented growth to over 2\r\nmillion devices is not just a failure of individual device security but a systemic vulnerability within the residential\r\nproxy supply chain.\r\nThe discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs like\r\nByteconnect indicates a deepening relationship between threat actors and commercial proxy providers. While the\r\ncollaboration with IPIDEA led to a successful patch, the broader landscape remains precarious.\r\nSynthient assesses that the Kimwolf operation provides a blueprint for future botnets to achieve rapid, low-cost\r\ngrowth by bypassing traditional defenses. As long as demand for low-cost residential bandwidth continues to\r\ngrow, the risk to organizations and individuals will remain high.\r\nSource: https://synthient.com/blog/a-broken-system-fueling-botnets\r\nhttps://synthient.com/blog/a-broken-system-fueling-botnets\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://synthient.com/blog/a-broken-system-fueling-botnets"
	],
	"report_names": [
		"a-broken-system-fueling-botnets"
	],
	"threat_actors": [],
	"ts_created_at": 1775439157,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa0c29ae6ae80a079fff181d655368e3d1967298.pdf",
		"text": "https://archive.orkl.eu/fa0c29ae6ae80a079fff181d655368e3d1967298.txt",
		"img": "https://archive.orkl.eu/fa0c29ae6ae80a079fff181d655368e3d1967298.jpg"
	}
}