The Wolf Inside the Walls: Kimwolf Botnet Enslaves 2 Million Devices

It has surreptitiously infiltrated households, corporate offices, and even sovereign governmental networks, and now commands millions of devices across the globe. A nascent IoT botnet christened Kimwolf has already compromised over 2 million gadgets, conscripting them into a formidable legion for DDoS incursions and the circulation of malicious internet traffic. Far more unsettling, however, is the botnet’s capacity to scrutinize the local area networks (LANs) of compromised hosts and infect all adjacent devices, rendering it a profound peril to institutional and corporate infrastructures.

The Kimwolf botnet experienced an exponential expansion in late 2025 by employing highly unorthodox tactics. Its operators harnessed so-called “residential proxy services,” which are typically marketed as instruments for anonymization and geo-obfuscation. These services facilitate connections routed through the devices of mundane users in any given locale. The malware responsible for transmuting a smartphone, set-top box, or personal computer into a proxy node is frequently embedded clandestinely within mobile applications and games. Consequently, the subverted device begins relaying foreign traffic, participating in advertising fraud, orchestrating credential stuffing, and conducting large-scale web scraping.

The primary objective of Kimwolf centered on the Chinese proxy provider IPIDEA, which boasts millions of active weekly nodes. Adversaries discovered that these nodes could serve not merely for command-and-control dissemination but as conduits to penetrate internal local networks, subsequently automating the search for and infection of vulnerable hardware.

In the majority of instances, the brunt of the assault was borne by uncertified Android TV streaming boxes—frequently marketed as “universal” devices for consuming pirated media. These peripherals typically operate on the Android Open Source Project (AOSP), devoid of robust security frameworks or authentication protocols, and occasionally arrive pre-loaded with proxy software. Provided they remain accessible via the network, infecting them with malicious payloads is a trivial endeavor.

While IPIDEA and similar providers have commenced efforts to neutralize such incursions, millions of devices remain compromised. Initially perceived as a domestic affliction, the reality has proven far more severe. According to data from Infoblox, nearly 25% of its corporate clientele have documented interactions with domains associated with Kimwolf since October 2025. This implies that at least one device within their respective networks functioned as a proxy node through which the botnet endeavored to map local infrastructures in search of further prey.

Forensic investigations reveal that infections permeate a diverse array of sectors, from academia and healthcare to financial institutions and governmental bodies. The startup Synthient identified tens of thousands of such proxy nodes within universities and colleges globally, alongside thousands of addresses nestled within the sovereign networks of various nations. Analysts from Spur further elucidated this crisis, unmasking hundreds of compromised networks belonging to public utilities, hospitals, and banks.

Kimwolf serves as a stark testament to how a singular subverted set-top box, handset, or laptop can function as the bridgehead for an assault on an entire enterprise network. Residential proxies have evolved into a convenient instrument for reconnaissance, permitting adversaries to literally dissect an organization’s internal infrastructure from within. In an era where uncertified gadgets and inadequately secured “smart” devices are increasingly ubiquitous in the workplace, such botnets are no longer a technical curiosity but a genuine existential threat to the security of entire industries.