Kimwolf Botnet: 2M+ Devices Infected, Targeting Gov & Corporate Networks

by Anika Shah - Technology
0 comments

Kimwolf Botnet: A Growing Threat to Corporate and Government Networks

A new Internet-of-Things (IoT) botnet, dubbed Kimwolf, has rapidly expanded to infect over 2 million devices, compelling compromised systems to participate in large-scale distributed denial-of-service (DDoS) attacks and facilitate other malicious internet traffic. Recent research indicates a surprisingly significant presence of Kimwolf within government and corporate networks, raising concerns about organizational security.

Rapid Growth and Exploitation of Residential Proxies

Kimwolf experienced rapid growth in late 2025 by exploiting residential proxy services to deliver malicious commands to devices on local networks. These proxy services, designed to anonymize and localize web traffic, allow customers to route internet activity through devices globally. The malware often arrives bundled with mobile apps and games, turning infected devices into relays for malicious activities like ad fraud, account takeover attempts, and content scraping.

The botnet primarily targeted proxies from IPIDEA, a Chinese service with millions of available endpoints. Kimwolf operators leveraged IPIDEA’s infrastructure to scan for and infect other vulnerable devices on connected local networks.

Targeting Android TV Streaming Boxes

The majority of systems compromised through Kimwolf’s local network scanning have been unofficial Android TV streaming boxes. These devices, often based on the Android Open Source Project (AOSP) rather than official Android TV OS or Play Protect certified versions, are frequently marketed as a means to access pirated streaming content. Many of these boxes ship with pre-installed residential proxy software and lack robust security features, making them easily compromised.

Prevalence in Corporate and Government Networks

Despite its association with residential proxies and streaming boxes, Kimwolf has infiltrated corporate and government environments. Infoblox reported that nearly 25% of its customers had queried a Kimwolf-related domain name since October 1, 2025, indicating the presence of at least one compromised device on their network [KrebsOnSecurity]. Affected customers span various sectors, including education, healthcare, government, and finance.

Synthient, a proxy tracking startup, discovered over 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within U.S. And foreign government networks [KrebsOnSecurity].

Spur, another proxy tracking service, identified residential proxies in nearly 300 government networks, 318 utility companies, 166 healthcare organizations, and 141 banking and finance companies [KrebsOnSecurity]. Riley Kilmer, Spur Co-Founder, highlighted the potential for attackers to use compromised devices as a foothold to pivot within targeted organizations.

Kimwolf and the Broader DDoS Landscape

Kimwolf is one of several botnets driving a surge in DDoS attacks. Alongside Aisuru and Mirai, it contributes to a new era of relentless DDoS activity, exploiting insecure IoT and consumer devices [Barracuda]. Cloudflare reported a 121% increase in DDoS attacks in 2025, totaling 47.1 million incidents [TheHackerNews]. In November 2025, the AISURU/Kimwolf botnet launched a record-setting attack peaking at 31.4 Tbps [TheHackerNews].

Looking Ahead

The Kimwolf botnet exemplifies the growing threat posed by insecure IoT devices and the exploitation of residential proxy networks. As the botnet ecosystem continues to evolve, organizations must prioritize securing their networks and devices to mitigate the risk of compromise and participation in malicious activities. Further investigation is ongoing into the individuals and companies connected to the Badbox 2.0 botnet, a collective of vulnerable Android TV streaming box models.

Related Posts

Leave a Comment