According to Synthient’s findings, the botnet known as Kimwolf infected more than 2 million Android devices by tunneling through residential proxy networks.
“The primary actors involved in the Kimwolf botnet have been observed monetizing the botnet through app installations, selling residential proxy bandwidth, and selling DDoS capabilities,” the company said in an analysis published last week.
Kimwolf was first publicly documented by QiAnXin XLab last month, with documented connections to another botnet known as AISURU. Kimwolf has been active since at least August 2025 and is assessed to be an Android variant of AISURU. Late last year, there is growing evidence that botnets are indeed behind a series of record-breaking DDoS attacks.
The malware turns infected systems into a conduit for relaying malicious traffic and orchestrating large-scale distributed denial of service (DDoS) attacks. The majority of infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, and Synthient monitors approximately 12 million unique IP addresses each week.
Attacks distributing botnets have been found to primarily target Android devices running the exposed Android Debug Bridge (ADB) service using scanning infrastructure that uses resident proxies to install malware. Over 67% of devices connected to botnets are unauthenticated and have ADB enabled by default.
It is believed that these devices are pre-infected with software development kits (SDKs) from proxy providers in order to covertly join the botnet. Top compromised devices include unofficial Android-based smart TVs and set-top boxes.
As of December 2025, the Kimwolf infection was utilizing proxy IP addresses rented by China-based IPIDEA. IPIDEA implemented a security patch on December 27th that blocked access to local network devices and various sensitive ports. IPIDEA describes itself as “the world’s leading provider of IP proxies” with more than 6.1 million IP addresses updated every day and 69,000 new IP addresses every day.
In short, the trick is to use IPIDEA’s proxy network and other proxy providers to tunnel through the local network of the system running the proxy software and drop the malware. The main payload listens on port 40860 and connects to 85.234.91.[.]Receive further commands at 247:1337.
“The scale of this vulnerability is unprecedented, with millions of devices exposed,” Synthient said.
Additionally, the attack infected devices with a bandwidth monetization service known as Plainproxies Byteconnect SDK, indicating a broader monetization attempt. The SDK uses 119 relay servers that receive proxy tasks from command and control servers, which are then executed by compromised devices.
Synthient announced that it has discovered infrastructure used to carry out credential stuffing attacks targeting IMAP servers and popular online websites.
“Kim Wolf’s monetization strategy became apparent early on through aggressive sales of residential proxies,” the company said. “Offering a proxy for 0.20 cents per GB, or $1.4 million per month with unlimited bandwidth, will lead to early adoption by several proxy providers.”
“The discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs such as Byteconnect indicates a deepening relationship between threat actors and commercial proxy providers.”
To combat risk, proxy providers are encouraged to block requests to RFC 1918 addresses, which are private IP address ranges defined for use on private networks. We recommend that organizations lock down devices running unauthenticated ADB shells to prevent unauthorized access.
Source link
