The Kimwolf botnet has infected over two million devices by compromising a vast number of unofficial Android TV streaming boxes, forcing them to participate in distributed denial-of-service (DDoS) attacks and relay abusive Internet traffic for residential proxy services. The botnet's spread is linked to integrated proxy software that ships with apps and games, turning devices into distributed relays for fraud, credential stuffing, and data scraping.
Background and Context
The Kimwolf botnet was first identified by the Chinese security firm XLab on December 17, 2025. Researchers found "definitive evidence" that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the Aisuru botnet, an earlier version of Kimwolf that also enslaved devices for use in DDoS attacks and proxy services.
XLab suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based on shared code changes over time. However, it was not until December 8 that they confirmed this suspicion when both botnet strains were traced to the same Internet address: 93.95.112[.]59.
This IP range is assigned to Lehi, Utah-based Resi Rack LLC, a company describing itself as a premium game server host and provider of residential proxies. Its co-founders have publicly referenced services that facilitate proxy networks, which researchers say played a central role in Kimwolf's operations.
Why it Matters to the Industry
The spread of the Kimwolf botnet highlights the fragility of millions of smart TV devices and underscores the importance of robust security measures. The botnet's use of integrated proxy software that ships with apps and games is a concerning trend, as it can turn once-normal devices into traffic-generating machines with little to no security protections.
The fact that Kimwolf and Aisuru share the same author(s) and operators suggests a coordinated effort to compromise large numbers of devices. This raises questions about the role of proxy services in facilitating such attacks and whether they are aware of or complicit in the botnet's operations.
Key Actors and Roles
Resi Rack's co-founders, Cassidy Hales and Linus, have been active in selling proxy services via Discord for nearly two years. They have also advertised their services as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company" on the Internet moneymaking forum BlackHatWorld.
The Resi Rack Internet address cited by XLab on December 8 came onto KrebsOnSecurity's radar more than two weeks before that. Benjamin Brundage, founder of Synthient, a startup that tracks proxy services, had been tracking the Kimwolf botnet and its associated proxy infrastructure since late October.
What Comes Next
The discovery of the Kimwolf botnet's spread raises concerns about the security of millions of smart TV devices. It also highlights the need for robust security measures to prevent such attacks in the future.
As researchers continue to investigate the botnet and its associated proxy infrastructure, it is clear that the industry must take a closer look at the role of proxy services in facilitating such attacks. The use of integrated proxy software that ships with apps and games is a concerning trend that must be addressed.
Key Facts
- The Kimwolf botnet has infected over two million devices by compromising unofficial Android TV streaming boxes.
- The botnet's spread is linked to integrated proxy software that ships with apps and games, turning devices into distributed relays for fraud, credential stuffing, and data scraping.
- XLab found "definitive evidence" that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the Aisuru botnet.
- The IP range flagged by researchers points to Lehi, Utah-based Resi Rack LLC, a company describing itself as a premium game server host and provider of residential proxies.
- Resi Rack's co-founders have publicly referenced services that facilitate proxy networks, which researchers say played a central role in Kimwolf's operations.
