The Trojan in the Living Room: 2 Million Android TV Boxes Hijacked by Kimwolf

When you procure an inexpensive, unbranded Android TV box, connect it to your television, and relegate it to the periphery of your attention for years, you may unwittingly be harboring a silent sentinel. Within this domestic obscurity, the device can clandestinely transform your home network into a vessel for cybernetic offensives and illicit digital services. Such is the genesis of the Kimwolf botnet—a burgeoning menace that has compromised over two million “unauthorized” Android TV devices through a massive, systemic breach.

In December 2025, the research collective XLab published a comprehensive forensic deconstruction of Kimwolf. Their findings indicate that infected set-top boxes are weaponized for a dual purpose: orchestrating DDoS attacks and serving as nodes for “residential proxy” networks. This industry commodifies internet traffic that appears to originate from authentic domestic hardware—a resource highly coveted for ad fraud, credential stuffing, account takeovers, and industrial-scale web scraping.

The distinguishing characteristic of Kimwolf is its focus on the underlying infrastructure of budget TV boxes rather than conventional smartphones. The report reveals that a malicious component is frequently pre-installed at the factory level across more than a thousand “unauthorized” Android TV models. Upon activation, these devices immediately begin siphoning suspicious traffic, while the owners remain blissfully unaware of the systemic abuse.

XLab further asserts that Kimwolf is an evolutionary successor to the earlier Aisuru botnet. Researchers discovered “irrefutable evidence” linking the two, noting that both utilized identical infrastructure. Specifically, on December 8, 2025, both botnet variants were observed propagating from the same IP address—93.95.112.59—confirming the involvement of a singular threat collective.

Public records associate this IP range with Resi Rack LLC, a firm based in Lehi, Utah. While its official website purports to offer gaming server hosting, promotional discourse on the BlackHatWorld forum depicts a different reality: a company deeply entrenched in “premium residential proxy hosting” and proxy software development. Cassidy Hales, co-founder of Resi Rack, claimed to KrebsOnSecurity that the issue was “resolved immediately” upon notification; however, the firm subsequently declined to answer further inquiries.

Prior to XLab’s disclosure, researchers at Synthient discovered that proxy vendors benefiting from Aisuru and Kimwolf were coordinating via a Discord server titled resi.to. In late October 2025, the server hosted approximately 150 participants, including a user designated as “Shox”—identified as a Resi Rack co-founder—and his partner, “Linus.” Members frequently exchanged fresh IP addresses utilized for proxied traffic. Synthient documented at least seven static Resi Rack addresses directly tethered to the Kimwolf infrastructure between October and December 2025.

Other clandestine figures emerged in the investigation, including “D”—suspected to be the hacker Dort—and “Snow.” A Brazilian operative known as “Forky,” who admitted to early promotion of Aisuru, asserted that Dort and Snow currently exercise dominion over both botnets. Curiously, following the initial report on January 2, 2026, the resi.to server was purged and deleted. Active participants migrated to Telegram, where they reportedly doxxed researchers and discussed the challenges of securing “bulletproof” hosting for their malicious network. Simultaneously, Synthient fell victim to a retaliatory DDoS attack.

To augment their resilience, Kimwolf operators have co-opted the Ethereum Name Service (ENS). By utilizing ENS records, the botnet complicates the efforts of security teams to decommission command-and-control servers. Infected devices retrieve the C2 address through a text record in the ENS; should a server be neutralized, the operators simply update the record to redirect the botnet to a new destination. These records have also been used to broadcast intimidatory messages, including the personal data of security analysts.

The investigation also scrutinized services profiting from Kimwolf traffic, such as Plainproxies, which distributes the ByteConnect SDK. While marketing itself as a tool for “ethical app monetization,” Synthient observed a surge in credential-stuffing attacks—targeting email servers and popular platforms—emanating from the SDK. Friedrich Kraft, CEO of Plainproxies and co-founder of ByteConnect Ltd, is also linked to the German hosting firm 3XK Tech GmbH. In July 2025, Cloudflare identified 3XK Tech as a primary source of application-layer DDoS attacks, while in November, GreyNoise noted its role in scanning the internet for critical Palo Alto Networks vulnerabilities.

Another entity, Maskify, advertises millions of “residential” addresses at suspiciously low prices. Synthient reports seeing evidence of Kimwolf-linked actors attempting to sell proxy bandwidth for cash upfront—a clear indication that these proxies are obtained through non-ethical means.

Both XLab and Synthient concur: a vast majority of these “no-name” Android TV boxes lack fundamental security and often arrive pre-loaded with malicious components. If a device is accessible via the public network, it is susceptible to total compromise. Consequently, if you possess an unbranded, inexpensive Android TV box devoid of official updates, it is highly recommended to disconnect it from your network immediately to mitigate the risk of systemic subversion.