Kimwolf Botnet Abuse of Residential Proxies to Infect Devices Behind Routers
Security researchers reported explosive growth of the Kimwolf botnet to 2+ million infected devices globally, with heavy concentrations including Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. Synthient assessed that roughly two-thirds of infections are insecure Android TV boxes, and described Kimwolf’s primary impact as large-scale abuse traffic (ad fraud, account takeover attempts, scraping) and high-capacity DDoS capable of disrupting major websites for extended periods. A key concern is Kimwolf’s propagation method: leveraging residential proxy networks to effectively tunnel “back” into home/SMB networks via proxy endpoints and then infect additional devices that users assume are protected behind NAT/firewalls and consumer routers.
KrebsOnSecurity further tied operational activity to the botnet controller, a threat actor using the handle “Dort,” who allegedly retaliated against a vulnerability discloser and the journalist with DDoS, doxing, email flooding, and an apparent SWATing incident. Open-source and commercial intelligence cited in the reporting linked “Dort” to historical aliases (e.g., CPacket, M1ce) and to accounts on cybercrime forums, and noted prior involvement in enabling abuse tooling (e.g., CAPTCHA-bypass code and temporary email services) and presence in communities associated with cybercrime groups (including references to LAPSUS$ chat activity).
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Kimwolf Android Botnet Compromises 1.8 Million Devices for DDoS and Proxy Attacks
The Kimwolf botnet has infected approximately 1.8 million Android-based devices worldwide, including smart TVs, set-top boxes, and tablets, making it one of the largest Android botnets identified to date. Security researchers from Xlab Qianxin and other organizations discovered that Kimwolf leverages advanced evasion techniques such as DNS over TLS and elliptic-curve digital signatures to bypass detection and secure command verification. The malware is distributed globally, with the highest infection rates in Brazil, India, and the United States, and is capable of launching destructive cyberattacks at scale due to its robust network infrastructure. Kimwolf is compiled using the Android NDK and provides attackers with a range of capabilities, including DDoS attacks, proxy forwarding, reverse shell access, and file management. The botnet has issued over 1.7 billion DDoS commands in a three-day period and has demonstrated resilience by shifting to Ethereum Name Service (ENS) for its command-and-control infrastructure after repeated domain takedowns. The infection mechanism involves an APK that extracts a native binary payload, ensuring persistence and single-instance execution on each device. The exact propagation method remains unclear, but the botnet's rapid evolution and global reach pose a significant threat to Android device security.
2 months ago
Kimwolf Botnet Infects Millions of Android TV Boxes and IoT Devices
The Kimwolf botnet has rapidly infected over 1.8 million Android-based devices worldwide, with security researchers warning that the true number may exceed 2 million. The malware primarily targets Android TV boxes, digital photo frames, and other IoT devices, many of which are distributed through major online retailers and often ship with weak security controls or pre-installed malicious software. Kimwolf leverages advanced techniques such as DNS-over-TLS, blockchain-based command and control via Ethereum Name Service (ENS), and residential proxy networks to evade detection and takedown efforts. The botnet enables attackers to launch high-volume DDoS attacks, monetize proxy bandwidth, and conduct lateral movement within local networks, posing a significant threat to both enterprise and consumer environments. Security experts have identified that two-thirds of Kimwolf infections are Android TV boxes lacking basic authentication, making them especially vulnerable. The operators behind Kimwolf, previously linked to the Aisuru botnet, are known for their technical sophistication and rapid adaptation to takedown attempts. Their monetization strategies include ad fraud, DDoS-for-hire services, and the resale of residential proxy bandwidth. The malware often spreads through bundled mobile apps and games, exploiting the global supply chain of low-cost Android devices. Organizations and individuals are urged to identify, isolate, and remediate infected devices to prevent further exploitation and participation in criminal infrastructure.
2 months ago
Kimwolf IoT Botnet Disrupts I2P While ISPs Sinkhole Its C2 Infrastructure
The **Kimwolf** “Internet of Things” botnet has been linked to major disruption of the anonymity network **I2P (Invisible Internet Project)** after botnet operators began using I2P to help evade takedown efforts against their command-and-control (C2) servers. I2P users reported that tens of thousands of new “routers” suddenly flooded the network, many unable to pass traffic, overwhelming I2P to the point that legitimate users could not connect; developers and users described extreme connection counts and a sharp drop in successful connections consistent with a large-scale availability attack. Separately, a major U.S. ISP reported actively **sinkholing/blocking traffic to hundreds of botnet C2 servers** associated with Kimwolf (and the related **Aisuru** botnet), citing more than **550** identified C2 endpoints over several months. Reporting attributes Kimwolf’s growth to at least **~2 million infected devices**, with operators leveraging compromised **Android TV set-top boxes** and scanning for exposed **Android Debug Bridge (ADB)** services to expand the botnet and monetize access via **residential proxy** infrastructure that makes malicious traffic appear to originate from consumer networks.
1 months ago