top of page
Search

Kimwolf Android Botnet Infects Over 2 Million Devices

  • Jan 5
  • 2 min read

Key Findings


  • The Kimwolf Android botnet has infected over 2 million devices, primarily through the exploitation of residential proxy networks.

  • The botnet primarily targets low-cost, unofficial Android TV boxes that are left insecure or intentionally configured as proxy nodes.

  • Kimwolf is believed to be an Android variant of the AISURU botnet, with connections to a series of record-setting DDoS attacks.

  • The botnet uses a scanning infrastructure that leverages residential proxies to install the malware on devices with exposed ADB services.

  • Kimwolf has been observed monetizing the infections through the installation of third-party proxy SDKs, enabling credential-stuffing attacks and bandwidth resale.

  • The majority of the infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with Synthient observing around 12 million unique IP addresses per week.


Background


The Kimwolf botnet was first publicly documented by QiAnXin XLab last month, while the researchers were investigating its connections to the AISURU botnet. The malware has been active since at least August 2025 and is now assessed to be an Android variant of the AISURU botnet.


Botnet Expansion through Residential Proxies


Kimwolf's rapid growth can be attributed to its targeting of vulnerable devices through its novel exploitation of residential proxy networks. The botnet's scanning infrastructure uses residential proxies to install the malware on devices with exposed ADB services, with Synthient finding that around 67% of the connected devices are unauthenticated and have ADB enabled by default.


Monetization Strategies


In addition to capturing the proxy traffic, Kimwolf has been observed monetizing the infections through the installation of third-party proxy SDKs, such as Byteconnect. This enables the botnet operators to engage in credential-stuffing attacks and bandwidth resale, further expanding their revenue streams.


Widespread Infections and Geographic Distribution


The vast majority of the Kimwolf infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with Synthient observing approximately 12 million unique IP addresses per week. This suggests a significant and widespread botnet infrastructure across multiple regions.


Mitigating the Threat


To address the Kimwolf threat, proxy providers are recommended to block requests to RFC 1918 addresses, while organizations should lock down devices running unauthenticated ADB shells to prevent unauthorized access. Sharing intelligence and coordinating efforts are crucial in countering this rapidly evolving and large-scale threat.


Sources


  • https://securityaffairs.com/186559/malware/kimwolf-botnet-leverages-residential-proxies-to-hijack-2m-android-devices.html

  • https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page