The Kimwolf and Aisuru botnets, which have collectively compromised more than two million devices by targeting unofficial Android TV streaming boxes, left a traceable trail of digital fingerprints pointing to a small Utah company and a Discord server used to sell the stolen network access.
Chinese security firm XLab published its findings on December 17, 2025, confirming that both botnets share the same operators. The firm said it observed Kimwolf and Aisuru being distributed from the same IP address, 93.95.112[.]59, on December 8. That address belongs to an IP range assigned to Resi Rack LLC, a company based in Lehi, Utah.
What Kimwolf Actually Does
Kimwolf forces infected devices to participate in distributed denial-of-service attacks and to relay internet traffic through so-called residential proxy networks. These proxies are commercially valuable because they make malicious traffic appear to originate from ordinary home internet connections. That traffic gets used for ad fraud, account takeover attempts, and mass content scraping.
The botnet targeted residential proxy software factory-installed on more than a thousand models of unsanctioned Android TV streaming boxes. Because the software comes pre-loaded on the hardware, users have no way of knowing their device is compromised.
Resi Rack’s Connection
Resi Rack markets itself publicly as a “Premium Game Server Hosting Provider,” but its advertisements on the internet moneymaking forum BlackHatWorld describe it as a “Premium Residential Proxy Hosting and Proxy Software Solutions Company.”
Co-founder Cassidy Hales said his company received a notification on December 10 about Kimwolf activity on their network. “When we received this email we took care of this issue immediately,” Hales said. “This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever.”
More Read
The timeline complicates that account. The Resi Rack address flagged by XLab was already appearing in a Discord channel called resi[.]to as far back as November 24, 2025, when a channel member posted it as an IP address actively proxying Kimwolf traffic. Startup Synthient, which tracks proxy services, identified at least seven static Resi Rack IP addresses tied to Kimwolf proxy infrastructure between October and December 2025.
The Discord Connection
Benjamin Brundage, founder of Synthient, flagged the resi[.]to Discord server in late October 2025 as a hub where people were selling proxy access derived from the Aisuru and Kimwolf botnets. When the Discord server was first observed, it had fewer than 150 members. Among them were Hales, operating under the nickname “Shox,” and his business partner “Linus,” who did not respond to requests for comment.
Neither co-owner answered follow-up questions after the initial exchange. Cyber intelligence firm Flashpoint indexed Discord records showing both individuals spent much of 2024 selling static ISP proxies by routing traffic through major U.S. internet service provider address blocks.
That business model faces structural pressure. In February 2025, AT&T announced it would stop originating routes for network blocks it does not own, effective July 31, 2025. Other major ISPs have since adopted similar policies, effectively narrowing the market for the type of proxy traffic Resi Rack’s operators had been selling.
Photo by Joshua Hoehne on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
