Zombies in the Living Room: 2 Million Android TV Boxes Hijacked for Proxy Fraud

Since the autumn of the previous year, the Black Lotus Labs team at Lumen Technologies has successfully decommissioned over 550 command-and-control servers tethered to the AISURU and Kimwolf botnets. These malevolent networks persist as some of the most formidable entities within their class, orchestrating swarms of compromised devices to execute potent DDoS assaults and facilitate traffic routing via residential proxy services.

Expert analysis from QiAnXin has cast a scrutinizing light upon the architectural intricacies of Kimwolf. Their findings indicate that the malware predominantly infiltrates uncertified Android set-top boxes, transmuting them into proxy nodes through an embedded SDK designated as ByteConnect. Dissemination occurs both directly and via dubious pre-installed applications. Consequently, over two million devices with exposed ADB interfaces have been assimilated into a network leveraged to circumvent traffic filtering and propagate further infections.

It was subsequently revealed that the architects of Kimwolf were not merely leasing access to these compromised assets but were actively attempting to monetize proxy traffic through fixed-rate schemes. In September, Black Lotus Labs documented suspicious activity originating from Canadian IP addresses establishing SSH connections to the botnet’s control infrastructure. Curiously, one such domain briefly eclipsed Google in Cloudflare’s rankings of the most frequented domains in November before its subsequent removal.

In October, a secondary command-and-control server was pinpointed, hosted on an IP address belonging to a Utah-based provider, Resi Rack LLC. While the firm presents itself as a purveyor of gaming infrastructure, evidence emerged that its co-founders were peddling proxy access via a Discord server titled resi[.]to. Although this communication channel has since vanished, it served as the primary marketplace for the active sale of compromised nodes.

Concurrent with these events, Black Lotus Labs observed a precipitous surge in Kimwolf’s recruitment, with the total population of bots reaching 800,000 by mid-October. Virtually all these assets were auctioned through the same residential proxy service. Investigations demonstrated that the botnet was vigorously scanning platforms like PYPROXY for vulnerabilities, infiltrating local networks and enslaving devices with enabled ADB modes. This methodology permitted their conversion into rental proxy nodes for subsequent adversaries to facilitate the further dispersal of malware.

Following the neutralization of a primary control node in October, the operators migrated their management interface to another IP address likewise affiliated with Resi Rack LLC. This transition was immediately followed by an escalation in malicious payload transmissions, signaling a profound nexus between these IP ranges and the AISURU infrastructure.

Amidst these revelations, reports surfaced concerning a nascent proxy network comprising over 800 compromised routers running KeeneticOS. Identical configurations and SSH fingerprints suggest a highly automated breach process, likely achieved through credential harvesting or the exploitation of inherent firmware vulnerabilities. These subverted routers functioned as proxy gateways, enabling threat actors to shroud their deleterious activities within the mundane traffic of residential users. Unlike data centers or commercial hosting facilities, these residential devices often evade blacklists and standard traffic analysis tools, rendering their detection exceptionally arduous.