Somewhere in your network, a cheap Android TV box is quietly relaying attack traffic to targets across the globe. It doesn’t show up on your asset inventory. It passed no security review. And right now, it might be part of a 2-million-device botnet called Kimwolf.
TL;DR
- Kimwolf has infected over 2 million devices — primarily cheap Android TV boxes and IoT devices — making it one of the largest active botnets in 2026
- It spreads through residential proxy networks, pivoting into local LANs to find and infect new targets — meaning corporate and government networks are exposed
- Nearly 25% of Infoblox’s global customer base queried Kimwolf-related domains, with infections found in 298 government networks, healthcare, and banking
- The botnet uses blockchain-based C2, DNS-over-TLS, and encrypted communications to resist takedowns — and rebuilt to 2 million nodes within days after losing 600,000 devices
- In February 2026, Kimwolf launched a Sybil attack against the I2P anonymity network, attempting to use it as backup C2 infrastructure
Why This Matters to You
Even if you don’t run Android TV boxes, Kimwolf is likely already touching your network. The botnet’s ability to pivot through residential proxy endpoints means any employee working from home — or any IoT device sharing your network — could be an entry point. This isn’t a consumer-only problem. It’s an enterprise threat hiding in plain sight.
What Is Kimwolf?
Kimwolf is an IoT botnet first identified in October 2025 by researchers at XLab (QiAnXin’s security research lab) and Synthient, a startup specializing in proxy network abuse detection. The name comes from the malware’s runtime output and its use of the wolfSSL cryptographic library.
At its core, Kimwolf is an evolution of the Aisuru botnet — redesigned to be stealthier and harder to take down. While Aisuru relied on traditional command-and-control infrastructure, Kimwolf introduced blockchain-based C2 domains, TLS-encrypted communications, and the ability to spread through residential proxy networks into victims’ local networks.
Kimwolf by the Numbers
| Metric | Value |
|---|---|
| Infected devices | 2+ million (peak: 1.83M simultaneous on Dec 4, 2025) |
| Countries affected | 222 |
| Estimated DDoS power | ~30 Tbps |
| DDoS attack vectors | 13 (Mirai-derived) |
| C2 nodes disrupted | 550+ (by Lumen Black Lotus Labs) |
| Recovery time after takedown | Days |
How Kimwolf Spreads: The Residential Proxy Trick
Most botnets spread by scanning the internet for vulnerable devices. Kimwolf does this too — but it added a devastating twist.
Exploiting Proxy Networks from the Inside
Many cheap Android TV boxes and streaming devices ship with residential proxy software pre-installed. Services like IPIDEA — which claims access to over 100 million endpoints — pay device manufacturers to bundle proxy SDKs (Software Development Kits) into their products. When you buy a $30 streaming box, it’s not just playing your movies. It’s also routing internet traffic for paying customers.
Kimwolf’s operators discovered they could send commands through these proxy networks to reach devices on the proxy endpoint’s local network. Here’s how the attack chain works:
- Entry via proxy service — Attackers connect to a residential proxy endpoint (an infected TV box on someone’s home or office network)
- DNS bypass — They use crafted DNS records pointing to internal addresses like
192.168.0.1or0.0.0.0, circumventing restrictions that should block access to local network ranges - LAN scanning — Once inside the local network, the malware scans for other vulnerable devices — routers, IoT gadgets, additional TV boxes
- Infection and expansion — Vulnerable devices get compromised, joining the botnet and becoming new proxy endpoints themselves
This creates a self-reinforcing feedback loop. Every new infection creates another scanning node, which finds more victims, which creates more scanners. In December 2025, Kimwolf exploited 2 million IPIDEA proxy addresses in a single week.
Android Debug Bridge: The Open Door
The second major infection vector is even simpler. Many unofficial Android TV boxes ship with Android Debug Bridge (ADB) enabled by default on port 5555 — with no authentication required. ADB is a developer tool that provides full shell access to the device. Leaving it open and exposed is like leaving your front door unlocked with a sign that says “come in.”
Kimwolf scans for open ADB ports at scale, connects, and deploys its payload. The infection chain looks like this:
- APK delivered via downloader servers
- Boot receiver establishes persistence — the malware survives device restarts
- Kimwolf ELF binary extracted from embedded resources
- Privilege escalation via
suto gain root access - Process disguised as
netd_servicesortv_helperto blend in with legitimate system processes
Inside Corporate and Government Networks
In January 2026, Infoblox published findings that shocked the security community: nearly 25% of their global customer base had made DNS queries to Kimwolf-related domains since October 2025. These weren’t home users — they were enterprise and government customers across every industry vertical.
Who’s Affected?
Research from Spur, a network intelligence firm, mapped IPIDEA proxy endpoints to specific organizations and found:
| Sector | Affected Networks |
|---|---|
| Government | ~298 networks (including significant DoD presence) |
| Utilities | 318 companies |
| Healthcare | 166 facilities |
| Banking/Finance | 141 organizations |
| Education | 33,000+ affected addresses across universities |
The implication is severe. As Spur co-founder Riley Kilmer explained: if you know you have proxy infections on a specific network, you can choose to exit through that network and then pivot locally. This means an attacker could route their traffic to appear as if it’s coming from inside a hospital’s network, a bank’s infrastructure, or a government facility — and then scan for additional targets from the inside.
How Did They Get In?
The path is deceptively simple. An employee buys a cheap Android TV box for their office break room. Or brings one from home. The device connects to the corporate WiFi. Its pre-installed proxy SDK phones home to IPIDEA. Kimwolf’s operators route commands through that proxy endpoint. Suddenly, the attacker has a foothold inside the corporate network — and the device isn’t on anyone’s asset inventory.
Technical Architecture: Built to Survive
Kimwolf isn’t technically complex — XLab noted its core functions are straightforward. But its resilience engineering is sophisticated.
Encrypted C2 Communications
The botnet uses a three-stage TLS-encrypted handshake:
- Register — Bot connects with magic header
FD9177FF - Verify — C2 sends an ECDSA-signed challenge; bot validates using a hardcoded public key
- Confirm — Bot reports its group identifier; C2 confirms and begins issuing commands
This mutual authentication prevents researchers from easily impersonating C2 servers or injecting commands into the botnet.
Blockchain-Based C2 Domains
When traditional C2 domains get taken down, Kimwolf falls back to Ethereum Name Service (ENS) domains. The domain pawsatyou.eth stores C2 server addresses in Ethereum text records, with IP addresses obfuscated using XOR operations. Since blockchain records can’t be seized or modified by law enforcement, this makes the botnet’s command infrastructure extremely resilient.
DNS-over-TLS Evasion
All DNS resolution happens over TLS (port 853) through public resolvers like 8.8.8.8 and 1.1.1.1. This encrypts DNS queries, making it harder for network security tools to inspect and block malicious domain lookups.
Rapid Rebuild Capability
Perhaps the most concerning feature: Kimwolf can rebuild itself from near-zero to 2 million devices within days. When less-experienced developers on the team made operational mistakes that cost the botnet over 600,000 nodes, it recovered almost immediately by re-exploiting proxy endpoints. As long as vulnerable devices exist on residential proxy networks, the botnet has an almost infinite pool of targets.
The I2P Sybil Attack: A New Frontier
On February 3, 2026, Kimwolf’s operators attempted something unprecedented: they tried to take over the I2P anonymity network to use it as backup C2 infrastructure.
I2P (Invisible Internet Project) is a peer-to-peer anonymity network similar to Tor but designed for internal services. It normally operates with 15,000–20,000 active nodes. Kimwolf attempted to join approximately 700,000 compromised devices as I2P nodes simultaneously.
This is called a Sybil attack — flooding a peer-to-peer network with fake identities controlled by a single entity. The results were catastrophic for I2P:
- Network capacity dropped to roughly 50% of normal
- Users reported their routers freezing when connection counts exceeded 60,000
- Legitimate nodes became unreachable
- Service disruption lasted approximately one week
The attack revealed Kimwolf’s strategic thinking: by embedding itself in I2P, the botnet would gain an almost untraceable command channel that could survive traditional takedown efforts. The operators discussed their plans openly in Discord channels — a level of carelessness that suggests either overconfidence or inexperience.
From Aisuru to Kimwolf: Evolution and Monetization
The connection between Kimwolf and the earlier Aisuru botnet is well-established. XLab found strong technical and operational links between the two, and Synthient’s founder Benjamin Brundage identified Kimwolf as a new Android-based variant of Aisuru as early as October 2025.
The operators monetize the botnet through multiple channels:
- DDoS-for-hire — Selling attack capabilities estimated at 30 Tbps
- Residential proxy bandwidth — Reselling access to infected devices as proxy endpoints
- App install fraud — Forcing installations of applications for advertising revenue
- Ad fraud — Generating fake ad impressions and clicks
- Account takeover — Using the proxy network to conduct credential stuffing attacks
- Content scraping — Mass data collection operations routed through residential IPs
Lumen’s Black Lotus Labs null-routed traffic to over 550 C2 nodes since October 2025, but the botnet’s blockchain-based fallback infrastructure and rapid rebuild capability have limited the impact of these disruptions.
Detection: What to Look For
Network-Level Indicators
- DNS queries to known Kimwolf C2 domains (see IOC section below)
- DNS-over-TLS traffic (port 853) from devices that shouldn’t be using it — especially IoT devices
- Unusual internal scanning — devices on your network probing other hosts on ports 5555 (ADB), 5060 (SIP), or conducting ARP sweeps
- Traffic to IPIDEA proxy infrastructure — if devices on your network are routing traffic for residential proxy services, you may already be exposed
Host-Level Indicators
- Processes named
netd_servicesortv_helperon Android devices - Unix domain sockets matching the pattern
@niggaboxv[number] - Outbound connections to Ethereum ENS resolution services from IoT devices
- APK hashes matching known Kimwolf samples (see IOCs below)
Key IOCs
C2 Domains:
14emeliaterracewestroxburyma02132[.]surtrdedge1.samsungcdn[.]cloudstaging.pproxy1[.]funapi.groksearch[.]netzachebt.chachasli[.]depawsatyou[.]eth(ENS blockchain domain)
Sample Hashes (MD5):
- APK:
887747dc1687953902488489b805d965 - ELF:
2078af54891b32ea0b1d1bf08b552fe8 - ELF:
1c03d82026b6bcf5acd8fc4bcf48ed00
Downloader Infrastructure:
93.95.112.50–55,93.95.112.59(AS397923)
You can also check whether your public IP is associated with Kimwolf infections at synthient.com/check.
What You Can Do Today
For Home Users
- Avoid cheap no-brand Android TV boxes. Stick with established brands (Google Chromecast, Apple TV, Amazon Fire TV, Nvidia Shield). The $30 you save isn’t worth becoming a botnet node.
- Isolate IoT devices on a separate VLAN or guest WiFi network. This prevents a compromised TV box from scanning your computers and NAS.
- Disable ADB on any Android device you own. If you don’t know what ADB is, you don’t need it enabled.
- Power-cycle your router periodically to obtain a new public IP, making it harder for the botnet to maintain persistent access.
For Organizations
- Asset inventory everything — including break room TVs, digital signage, and employee-brought devices. If it has an IP address, it needs to be tracked.
- Network segmentation — IoT and media devices should never share a network segment with production systems, databases, or domain controllers.
- DNS monitoring — Block known Kimwolf C2 domains and alert on DNS-over-TLS (port 853) traffic from unexpected devices. If your DNS security strategy doesn’t cover IoT devices, now is the time to fix that.
- Block residential proxy traffic at the perimeter. Services like Spur can help identify proxy-associated IP ranges.
- Hunt proactively — Search your network logs for connections to the IOCs listed above. Check for internal scanning patterns that could indicate lateral movement from a compromised device.
- Establish a BYOD policy that covers IoT devices, not just laptops and phones. That cheap streaming box an employee plugged in could be your weakest link.
The Bigger Picture
Kimwolf is a symptom of a deeper problem in the IoT ecosystem. Manufacturers ship devices with debug interfaces exposed, proxy SDKs pre-installed, and zero security hardening — because security costs money and consumers buy on price. Until that incentive structure changes, botnets like Kimwolf will continue to find millions of ready-made victims.
The residential proxy angle is particularly alarming for enterprises. Traditional network security assumes a clear boundary between “inside” and “outside.” Kimwolf erases that boundary by tunneling through legitimate proxy services into your internal network. The device that’s inside your perimeter was compromised before it ever arrived.
As our honeypot data from January 2026 showed, botnet infrastructure expanded by 50% in a single month — from 163,000 to 248,000 unique attacking hosts. Kimwolf is a major contributor to that growth, and there’s no sign of it slowing down.
Related Posts
- Honeypot Threat Landscape January 2026 — How global attack traffic is shifting toward database and IoT targets
- Why You Should Change Your DNS — DNS security fundamentals that help detect C2 communications
- Home Computer Security: Mandatory Actions — Essential security steps for home networks where IoT devices live
- Digital Parasite: Attacker Tradecraft 2026 — How modern attackers abuse legitimate infrastructure to hide in plain sight
Sources
- The Kimwolf Botnet is Stalking Your Local Network — Krebs on Security
- Kimwolf Botnet Lurking in Corporate, Govt. Networks — Krebs on Security
- Kimwolf Botnet Swamps Anonymity Network I2P — Krebs on Security
- Kimwolf Exposed: The Massive Android Botnet — XLab
- A Broken System Fueling Botnets — Synthient
- Researchers Null-Route Over 550 Kimwolf and Aisuru C2 Servers — The Hacker News
- Kimwolf: Possible Aisuru Successor — FastNetMon