Kimwolf Botnet Compromises 2 Million Devices, Turning Users’ Internet Connections into Proxy Nodes
A formidable new malware strain, dubbed Kimwolf, has clandestinely infiltrated over 2 million devices globally, converting them into unauthorized proxy servers without the owners’ knowledge. This rapidly expanding botnet is currently being exploited to perpetrate online fraud, execute potent cyberattacks, and exfiltrate sensitive information from millions of unsuspecting users.
Security researchers uncovered this alarming development in late 2025, revealing a sophisticated attack vector that exploits vulnerabilities in popular proxy networks’ security protocols. The primary targets are inexpensive Android TV boxes and digital photo frames available online, many of which are shipped with pre-configured, insecure settings.
Benjamin Brundage, a 22-year-old cybersecurity researcher and founder of Synthient, initiated an investigation into Kimwolf in October 2025 while preparing for his final exams at the Rochester Institute of Technology. His research exposed a disturbing pattern: the malware proliferates by exploiting a flaw in the security measures of the world’s largest residential proxy services.
Brundage discovered that attackers could circumvent security protocols by manipulating DNS settings to access private home networks through infected proxy devices. He identified a critical vulnerability in IPIDEA, the largest proxy network, which allowed cybercriminals to tunnel into home networks and deploy malware on connected devices without any authentication barriers.
The attack methodology combines the inherent security weaknesses in low-cost streaming devices with the vulnerabilities present in proxy networks. Attackers identify infected proxy endpoints by scanning for devices with Android Debug Bridge (ADB) mode enabled. They then execute a simple command, adb connect [device-ip]:5555, to gain superuser access.
Once access is obtained, the attackers deploy the malware payload by directing the system to a specific web address and using a passphrase, krebsfiveheadindustries, to unlock the malicious download. Synthient’s data indicates that two-thirds of the infected devices are Android TV boxes, with the remaining infections distributed among digital photo frames and mobile phones running concealed proxy applications.
The malware coerces these devices into relaying spam messages, committing advertising fraud, attempting account takeovers, and participating in distributed denial-of-service (DDoS) attacks capable of incapacitating major websites for extended periods.
Kimwolf’s resilience is evident in its ability to reconstruct itself following disruptions. Brundage observed the botnet’s rapid recovery from a takedown effort, rebounding from nearly zero infected systems to 2 million compromised devices within days by leveraging IPIDEA’s supply of fresh proxy endpoints.
