The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient.
“Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality,” the company said in an analysis published last week.
QiAnXin XLab first publicly documented Kimwolf last month while outlining its connections to another botnet known as AISURU. Active since at least August 2025, researchers assess Kimwolf as an Android variant of AISURU. Moreover, growing evidence suggests the botnet sits behind a series of record-setting DDoS attacks that occurred late last year.
How Kimwolf Operates
The malware converts infected systems into conduits for relaying malicious traffic and orchestrating distributed denial-of-service (DDoS) attacks at scale. Notably, the vast majority of infections cluster in Vietnam, Brazil, India, and Saudi Arabia, with Synthient observing approximately 12 million unique IP addresses per week.
Meanwhile, attackers distributing the botnet have primarily targeted Android devices running an exposed Android Debug Bridge (ADB) service. They rely on a scanning infrastructure that uses residential proxies to install the malware. At least 67% of the devices connected to the botnet lack authentication and run ADB enabled by default.
Investigators suspect that many of these devices ship pre-infected with software development kits (SDKs) from proxy providers, which silently enlist them into the botnet. The most frequently compromised devices include unofficial Android-based smart TVs and set-top boxes.
Abuse of Commercial Proxy Infrastructure
As recently as December 2025, Kimwolf infections leveraged proxy IP addresses offered for rent by China-based IPIDEA. In response, IPIDEA implemented a security patch on December 27 to block access to local network devices and various sensitive ports. IPIDEA describes itself as the “world’s leading provider of IP proxy” with more than 6.1 million daily updated IP addresses and 69,000 daily new IP addresses.
In practice, the attackers leverage IPIDEA’s proxy network and other proxy providers, then tunnel through the local networks of systems running the proxy software to drop the malware. The main payload listens on port 40860 and connects to 85.234.91[.]247:1337 to receive further commands.
“The scale of this vulnerability was unprecedented, exposing millions of devices to attacks,” Synthient said.
Furthermore, the attacks infect devices with a bandwidth monetization service known as the Plainproxies Byteconnect SDK, signaling broader monetization efforts. The SDK relies on 119 relay servers that receive proxy tasks from a command-and-control server, which the compromised devices then execute.
Credential-Stuffing and Criminal Activity
Additionally, Synthient said it detected infrastructure that attackers used to conduct credential-stuffing attacks targeting IMAP servers and popular online websites.
“Kimwolf’s monetization strategy became apparent early on through its aggressive sale of residential proxies,” the company said. “By offering proxies as low as 0.20 cents per GB or $1.4K a month for unlimited bandwidth, it would gain early adoption by several proxy providers.”
“The discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs like Byteconnect indicates a deepening relationship between threat actors and commercial proxy providers.”
To reduce risk, experts recommend that proxy providers block requests to RFC 1918 addresses, which define private IP address ranges for internal networks. In addition, organizations should lock down devices running unauthenticated ADB shells to prevent unauthorized access.
Source: TheHackerNews
Read more at Impreza News
