What is the Kimwolf botnet?

The Kimwolf botnet is an Android variant of the Aisuru malware that has been observed since last August.

Kimwolf Botnet Reaches 2 Million Infected Devices Globally

Q: Where are most of the infected devices located?

Most of the infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia.

Q: What does the Kimwolf botnet do with the compromised devices?

The Kimwolf botnet uses compromised devices for distributed denial-of-service (DDoS) attacks, proxy resale, and monetizing app installations.

Q: How does the Kimwolf botnet exploit residential proxy networks?

The Kimwolf botnet takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client.

Q: How does the malware spread?

The malware is often bundled with dodgy mobile apps and games or installed via unofficial Android TV boxes sold by third-party merchants on popular e-commerce sites like Amazon, BestBuy, Newegg, and Walmart.

The Android variant of Aisuru malware, Kimwolf, exploits residential proxy networks to target devices for DDoS attacks and app installations. Vietnam, Brazil, India, Saudi Arabia, Russia, and the US have the most infections.

The Kimwolf botnet has grown to over 2 million infected devices globally, with concentrations in Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. The malware exploits vulnerabilities in residential proxy networks to target devices on internal networks, using them for distributed denial-of-service (DDoS) attacks, proxy resale, and monetizing app installations.

What Happened

The Kimwolf botnet is an Android variant of the Aisuru malware, which has been observed since last August. Researchers at Synthient have been tracking the activity and report that the number of compromised devices has climbed to nearly 2 million, producing around 12 million unique IP addresses each week. The majority of infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia.

The malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client. Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated Android Debug Bridge (ADB) services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222.

When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution, written to /data/local/tmp. The ADB is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices.

Background and Context

The Kimwolf botnet's rapid growth is largely due to its abuse of residential proxy networks to reach vulnerable Android devices. Residential proxy networks are sold as a way for customers to anonymize and localize their Web traffic to a specific region, allowing them to route their traffic through devices in virtually any country or city around the globe.

The malware that turns an end-user's Internet connection into a proxy node is often bundled with dodgy mobile apps and games. These residential proxy programs also are commonly installed via unofficial Android TV boxes sold by third-party merchants on popular e-commerce sites like Amazon, BestBuy, Newegg, and Walmart.

These TV boxes range in price from $40 to $400, are marketed under a dizzying range of no-name brands and model numbers, and frequently are advertised as a way to stream certain types of subscription video content for free. But there's a hidden cost to this transaction: As we'll explore in a moment, these TV boxes make up a considerable chunk of the estimated two million systems currently infected with Kimwolf.

Why it Matters

The Kimwolf botnet is not just a nuisance; it poses significant risks to organizations and individuals alike. The malware can be used for DDoS attacks, proxy resale, and monetizing app installations via third-party SDKs like Plainproxies Byteconnect.

A report from XLab notes that the Kimwolf Android botnet had more than 1.8 million compromised devices on December 4. Researchers at threat intelligence and anti-fraud cybersecurity company Synthient have been tracking Kimwolf activity, saying that the number of compromised devices has climbed to nearly two million.

What Comes Next

The Kimwolf botnet's growth highlights the need for increased awareness and vigilance in the industry. Organizations must take steps to protect themselves from this type of threat, including implementing robust security measures and monitoring their networks for suspicious activity.

Additionally, consumers should be cautious when purchasing devices that require a wired or wireless connection, sticking with known brands and being wary of free or low-cost offers that may come with hidden costs. By working together, we can mitigate the risks posed by the Kimwolf botnet and protect our networks from this type of threat.

Key Facts

The Kimwolf botnet has grown to over 2 million infected devices globally.
The majority of infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia.
The malware exploits vulnerabilities in residential proxy networks to target devices on internal networks.
The Kimwolf botnet is an Android variant of the Aisuru malware.
Researchers at Synthient have been tracking the activity and report that the number of compromised devices has climbed to nearly 2 million.