Kimwolf Botnet: How Hackers Profited from Millions of Compromised Android TVs
A destructive botnet called Kimwolf has infected over two million devices by compromising a vast number of unofficial Android TV streaming boxes. Recent investigations reveal how cybercriminals and associated services have benefitted from the botnet’s widespread reach, utilizing it for distributed denial-of-service (DDoS) attacks and facilitating malicious internet traffic through residential proxy services.
The Rise of Kimwolf and its Connection to Aisuru
On December 17, 2025, Chinese security firm XLab published a detailed report on Kimwolf, outlining its capabilities in launching DDoS attacks and acting as a relay for abusive internet traffic via “residential proxy” services. XLab’s research indicates a close relationship between Kimwolf and an earlier botnet, Aisuru, suggesting they share the same authors and infrastructure.
XLab researchers discovered “definitive evidence” linking the two botnets, noting shared code changes over time. This connection was confirmed on December 8, 2025, when both botnet strains were distributed from the same internet address: 93.95.112[.]59. The Hacker News reported that Kimwolf had infected 1.8 million Android TV devices and issued 1.7 billion DDoS commands within a three-day period in November 2025.
Resi Rack LLC: A Key Player in the Proxy Network
The internet address flagged by XLab, 93.95.112[.]59, is assigned to Resi Rack LLC, a company based in Lehi, Utah. Resi Rack markets itself as a “Premium Game Server Hosting Provider” but also advertises as a “Premium Residential Proxy Hosting and Proxy Software Solutions Company.”
Cassidy Hales, a co-founder of Resi Rack, stated the company was notified on December 10, 2025, about Kimwolf using their network and took immediate action to address the issue. However, investigations revealed that Resi Rack’s co-founders, Hales and Linus, were actively selling proxy services via the Discord server resi[.]to as early as late October 2025.
Synthient, a startup tracking proxy services, identified at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025. KrebsOnSecurity detailed how members of the resi[.]to Discord channel shared IP addresses responsible for proxying traffic from Kimwolf-infected devices.
The Role of Dort and Snow
The owner of the resi[.]to Discord server used the username “D,” believed to be a reference to the hacker handle “There.” A Brazilian individual known as “Forky,” involved in the early marketing of the Aisuru botnet, identified “Dort” as a resident of Canada and one of the current operators of the Aisuru/Kimwolf botnet, alongside another individual nicknamed “Snow.”
Following the publication of the initial Kimwolf story, the resi[.]to Discord server was wiped and subsequently disappeared. Members then moved to a Telegram channel where they shared personal information and complained about finding reliable hosting for the botnet.
ByteConnect, Plainproxies and 3XK Tech: Facilitating Proxy Services
Reports from Synthient and XLab indicate Kimwolf was used to deploy programs that turned infected devices into internet traffic relays for multiple residential proxy services, including a software development kit (SDK) called ByteConnect, distributed by Plainproxies.
Plainproxies, led by Friedrich Kraft, advertises “unlimited” proxy pools, while ByteConnect claims to “monetize apps ethically.” However, Synthient’s analysis revealed that connecting to ByteConnect’s SDK resulted in a surge of credential-stuffing attacks targeting email servers and websites. Kraft also operates 3XK Tech GmbH, which Cloudflare identified in July 2025 as the largest source of application-layer DDoS attacks. XLab also noted that 3XK Tech was responsible for a significant portion of internet scanning related to a critical vulnerability in Palo Alto Networks products in November 2025.
Julia Levi, co-founder of ByteConnect and an employee of Plainproxies, previously worked for Netnut Proxy Network and Bright Data.
Maskify: Offering Low-Cost Proxies
Synthient’s report highlighted Maskify as another proxy provider heavily involved in selling Kimwolf proxies, currently advertising over six million residential internet addresses for rent. Maskify’s pricing, at 30 cents per gigabyte of data, is significantly lower than other providers, suggesting the proxies are not ethically sourced.
Botnet Response and Mitigation
Following the publication of the initial Kimwolf story, the botnet operators retaliated by launching a DDoS attack against Synthient’s website and doxing its founder, Benjamin Brundage, via Ethereum Name Service (ENS) records. XLab discovered that the Kimwolf operators had upgraded their infrastructure in mid-December to utilize ENS, making it more difficult to take down their control servers.
Both Synthient and XLab recommend disconnecting any Android TV streaming boxes matching affected models from the network, as they lack security protections and are easily compromised.
Keep reading