A botnet called Kimwolf has infected more than 2 million devices worldwide, enlisting them in distributed denial-of-service attacks and routing malicious internet traffic through compromised networks. Security researchers have now confirmed the botnet’s reach extends well into corporate, academic, and government infrastructure — a finding that complicates the conventional assumption that such threats stay confined to consumer devices.
Kimwolf emerged in late 2025, spreading by exploiting residential proxy services — commercial platforms that allow customers to route internet traffic through devices located in specific regions. These proxy nodes are often installed quietly alongside mobile apps and games, and they routinely carry ad fraud, credential theft, and content scraping. Kimwolf’s operators identified a specific vulnerability: they could forward malicious commands through proxy endpoints and into the local networks those endpoints sat on, then systematically scan for and infect other vulnerable devices nearby.
The primary target of that scanning has been unofficial Android TV streaming boxes — devices built on the Android Open Source Project, distinct from certified Android TV OS products. These boxes are typically marketed as a means to access pirated streaming content for a one-time purchase. Many ship with residential proxy software already installed, and they carry minimal authentication controls. Direct network access to one of these devices is effectively sufficient to compromise it.
Kimwolf’s principal vector was IPIDEA, a Chinese residential proxy service with millions of endpoints available for rent at any given time. IPIDEA and other affected proxy providers have since taken steps to block the botnet’s upstream communications, though with varying reported success. The malware, however, remains active on the devices it has already reached.
Security firm Infoblox reviewed its own customer traffic and found that nearly 25 percent of its customers had made at least one DNS query to a Kimwolf-related domain since October 1, 2025 — the point at which the botnet first showed measurable activity. Those customers span a wide range of sectors and geographies, including education, healthcare, finance, and government. Infoblox clarified that a DNS query indicates a device acted as a proxy endpoint targeted by Kimwolf operators, not necessarily that additional devices on that network were successfully compromised. Lateral movement would only succeed if vulnerable devices were present and DNS resolution was not blocked.
The startup Synthient, which tracks proxy services and was among the first to document Kimwolf’s propagation methods in early January, identified IPIDEA proxy endpoints inside government and academic networks at significant scale. Synthient recorded at least 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within U.S. and foreign government networks.
More Read
Proxy tracking service Spur extended that picture further in a webinar held on January 16. Analyzing internet addresses linked to IPIDEA and ten other proxy services considered vulnerable to Kimwolf, Spur found residential proxies embedded in nearly 300 government-owned and operated networks, as well as 318 utility company networks.
The pattern that emerges is one where consumer-grade hardware — streaming boxes bought for piracy convenience, phones enrolled in proxy programs bundled with apps — becomes an unwitting foothold inside sensitive infrastructure. The device itself may belong to an employee or contractor. The network it connects to may belong to a hospital, a municipal agency, or a federal department. The malware does not distinguish.
Photo by Shubham Dhage on Unsplash
Source: Original reporting
