Kimwolf Botnet Compromises Over 2 Million Devices, Exploiting Home Networks for Cybercrime
A newly identified malware, dubbed Kimwolf, has clandestinely infiltrated more than 2 million devices globally, converting them into unauthorized proxy servers without the knowledge of their owners. This rapidly expanding botnet is being leveraged for a range of illicit activities, including online fraud, large-scale cyberattacks, and data theft.
Security experts uncovered this alarming development in late 2025, highlighting a sophisticated exploitation of vulnerabilities within popular proxy networks. The primary targets of this infection are low-cost Android TV boxes and digital photo frames, many of which are shipped with pre-existing security flaws.
Benjamin Brundage, a 22-year-old cybersecurity researcher and founder of Synthient, initiated an investigation into Kimwolf in October 2025 during his final exams at the Rochester Institute of Technology. His research revealed a disturbing trend: the malware proliferates by exploiting weaknesses in the world’s largest residential proxy services.
Brundage discovered that attackers could circumvent security protocols by altering DNS settings, thereby gaining access to private home networks through compromised proxy devices. He identified a significant security lapse in IPIDEA, the largest proxy network, which allowed cybercriminals to infiltrate home networks and deploy malware on connected devices without encountering authentication barriers.
Brian Krebs, an analyst at KrebsOnSecurity, underscored Brundage’s critical findings after the researcher alerted multiple proxy providers to the vulnerability.
Attack Mechanism
The attack strategy involves a dual-faceted security breach:
1. Pre-Installed Malware: Many unofficial TV boxes come with malware pre-installed from the factory.
2. Enabled Android Debug Bridge (ADB): These devices have the ADB feature activated, allowing anyone on the same network to gain full control with a simple command.
Attackers identify compromised proxy endpoints by scanning for devices with ADB mode enabled. They then execute a command such as adb connect [device-ip]:5555 to obtain superuser access.
Once access is secured, the attackers deploy the malware payload by directing systems to a specific web address and using a passphrase to unlock the malicious download.
Synthient’s data indicates that two-thirds of the infected devices are Android TV boxes, with the remaining infections distributed among digital photo frames and mobile phones running concealed proxy applications.
The malware coerces these devices into relaying spam messages, committing advertising fraud, attempting account takeovers, and participating in distributed denial-of-service (DDoS) attacks capable of incapacitating major websites for extended periods.
Resilience and Rapid Recovery
Kimwolf exhibits remarkable resilience and an ability to rapidly rebuild its network after disruptions. Brundage observed that following a takedown effort, the botnet rebounded from nearly zero infected systems to 2 million compromised devices within just a few days by leveraging IPIDEA’s extensive pool of fresh proxy endpoints.
This swift recovery is facilitated by IPIDEA’s vast reservoir of over 100 million residential proxy addresses. The operators of the malware monetize their botnet through various channels, including selling app installation services, renting out proxy bandwidth, and offering DDoS attack capabilities to other cybercriminals.
Implications and Future Threats
Security researchers anticipate that this attack pattern will proliferate as more criminal groups become aware of these vulnerabilities, transforming residential proxy networks into prime targets for large-scale device compromises and network breaches.
