Kimwolf Botnet Lurking in Corporate, Govt. Networks

[Miravi]

Content source

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold as a way to anonymize and localize one’s Web traffic to a specific region, and the biggest of these services allow customers to route their Internet activity through devices in virtually any country or city around the globe.

The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week. The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Most of the systems compromised through Kimwolf’s local network scanning have been unofficial Android TV streaming boxes. These are typically Android Open Source Project devices — not Android TV OS devices or Play Protect certified Android devices — and they are generally marketed as a way to watch unlimited (read: pirated) video content from popular subscription streaming services for a one-time fee.

[...]

Infoblox found the affected customers are based all over the world and in a wide range of industry verticals, from education and healthcare to government and finance.

“To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” Infoblox explained. “Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query means a scan was made, not that new devices were compromised. Lateral movement would fail if there were no vulnerable devices to be found or if the DNS resolution was blocked.”

Synthient, a startup that tracks proxy services and was the first to disclose on January 2 the unique methods Kimwolf uses to spread, found proxy endpoints from IPIDEA were present in alarming numbers at government and academic institutions worldwide. Synthient said it spied at least 33,000 affected Internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.

In a webinar on January 16, experts at the proxy tracking service Spur profiled Internet addresses associated with IPIDEA and 10 other proxy services that were thought to be vulnerable to Kimwolf’s tricks. Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 companies in banking and finance.

Read the rest:

Kimwolf Botnet Lurking in Corporate, Govt. Networks – Krebs on Security

 

[Divergent]

Infection Vector (Supply Chain)
The primary nodes for this botnet are unofficial Android TV streaming boxes (often associated with "Badbox 2.0"). These devices, often marketed for piracy, ship with residential proxy software pre-installed and lack robust security or authentication.

Propagation Mechanism (Proxy Abuse)
Kimwolf operators exploit the IPIDEA residential proxy service. By routing malicious commands through these legitimate proxy endpoints, attackers can programmatically scan the local networks (LANs) where the proxy devices reside.

Target Scope

Scale
Security firm Infoblox reports that nearly 25% of their customers have queried Kimwolf-related domains since October 1, 2025.

Sectors
Affected networks include government, utilities, healthcare, and finance. Spur identified residential proxies inside nearly 300 government-owned networks, including the U.S. Department of Defense (DoD).

Academic
Synthient detected over 33,000 affected IP addresses at universities and colleges.

Operational Capabilities

Traffic Relay
Infected devices force participation in massive DDoS attacks and abusive traffic relay (ad fraud, scraping).

Lateral Movement
The botnet's distinct danger lies in its ability to use a single compromised mobile or IoT device to probe the surrounding internal network for other vulnerable assets.

Recommendation / Remediation
The presence of residential proxy traffic within an enterprise network is a significant security risk.

Isolate IoT Assets
Strictly segregate all IoT devices (smart TVs, appliances, vending machines) onto a dedicated VLAN with no access to the corporate intranet or sensitive segments.

Assume all "gray market" Android TV boxes are compromised by design.

Audit & Block Proxy Services
Monitor network egress traffic for connections to known residential proxy services like IPIDEA.

Block communication to known Kimwolf command-and-control (C2) domains at the DNS level.

Device Vetting
Prohibit the use of unofficial/generic Android Open Source Project (AOSP) streaming devices on enterprise networks. Enforce policies requiring Play Protect certified devices only.

Investigate Internal Scans
If a device is flagged for communicating with Kimwolf domains, treat it as a potential beachhead. Investigate the device for signs of local network scanning or lateral movement attempts.

References

Source
Krebs on Security

Intelligence Providers
Infoblox , Synthient , Spur.

Related Threat
Badbox 2.0.