Kimwolf Botnet: Millions of Devices Infected Via Router & Android TV Vulnerabilities

February 16, 2026 Rachel Kim – Technology Editor Technology

More than two million Android devices worldwide have been compromised by a rapidly expanding botnet dubbed Kimwolf, turning everyday internet connections into tools for malicious activity ranging from distributed denial-of-service (DDoS) attacks to ad fraud and the resale of residential proxy access. Security researchers have uncovered a sophisticated method by which Kimwolf exploits vulnerabilities in residential proxy services and unsecured devices, raising concerns about the security of home networks and the potential for widespread abuse.

The Kimwolf botnet primarily targets Android TV boxes and digital photo frames, often those sold by third-party merchants with limited security features. Synthient, a security firm tracking the botnet’s activity, reports concentrations of infected devices in Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. A significant portion – approximately two-thirds – of the compromised devices are Android TV boxes lacking robust security or authentication protocols.

The core of Kimwolf’s success lies in its ability to tunnel through residential proxy networks and infiltrate local networks behind firewalls and routers. Residential proxy services, marketed as a means to anonymize and localize web traffic, allow customers to route their internet activity through devices in various locations globally. Kimwolf exploits a weakness in these services, gaining access to internal servers of proxy endpoints and infecting vulnerable devices.

Benjamin Brundage, founder of Synthient, discovered that Kimwolf circumvents standard security measures by manipulating Domain Name System (DNS) settings to match those in reserved address ranges (RFC-1918), effectively bypassing restrictions on accessing local network addresses. “It is possible to circumvent existing domain restrictions by using DNS records that point to 192.168.0.1 or 0.0.0.0,” Brundage wrote in a security advisory to proxy providers in December 2025. “This grants an attacker the ability to send carefully crafted requests to the current device or a device on the local network. This is actively being exploited, with attackers leveraging this functionality to drop malware.”

A key factor in Kimwolf’s rapid spread is the prevalence of Android Debug Bridge (ADB) mode being enabled by default on many of the compromised devices. ADB is a diagnostic tool intended for manufacturing and testing, but leaving it active creates a significant security risk, allowing for remote configuration and potential malware installation. Researchers found that a simple command could grant unrestricted administrative access to vulnerable devices.

In December 2025, Synthient identified a strong correlation between new Kimwolf infections and proxy IP addresses offered by IPIDEA, currently the world’s largest residential proxy network. Brundage reported that Kimwolf nearly doubled in size in a single week by exploiting IPIDEA’s proxy pool. He also observed the botnet operators using a specific passphrase, “krebsfiveheadindustries,” to trigger malware downloads.

IPIDEA initially denied any association with the Aisuru botnet, stating they had no evidence of malicious activity on their network and implemented a rigorous supplier review process. However, following notification from Brundage, IPIDEA’s security officer informed Synthient that they had addressed the vulnerability by blocking access to internal network addresses and implementing mitigations to prevent abuse of the service. They claimed to have taken the legacy module offline that allowed the abuse.

Riley Kilmer, founder of Spur.us, confirmed Synthient’s findings, stating that IPIDEA and its resellers allowed full and unfiltered access to local area networks. Kilmer also highlighted the vulnerability of the Superbox, a popular unofficial Android TV box, which often ships with ADB enabled and connects to IPIDEA’s proxy network.

The Kimwolf botnet appears to be a reincarnation of previous residential proxy networks, including 911S5 Proxy, which operated between 2014 and 2022 and was shut down after being exposed for similar security vulnerabilities. IPIDEA operates a sister service, 922 Proxy, which was explicitly marketed as a successor to 911S5 Proxy.

Researchers at XLab, a Chinese security firm, have been closely tracking Kimwolf’s development, noting its ability to rapidly rebuild its infrastructure after takedown attempts. XLab’s analysis indicates that the botnet’s primary targets are TV boxes in residential networks, making it difficult to accurately assess the total number of infected devices due to dynamic IP allocation and varying device usage patterns.

The FBI issued an advisory in June 2025 warning about cybercriminals gaining access to home networks through compromised Android devices and unofficial streaming boxes. Google filed a lawsuit in July 2025 against the operators of the “BadBox 2.0 Enterprise,” a botnet of over ten million Android devices engaged in advertising fraud.

Security experts recommend sticking to reputable brands when purchasing internet-connected devices and avoiding unofficial Android TV boxes offering access to pirated content. Utilizing a guest network on home routers can also help isolate potentially compromised devices from the rest of the network. Synthient has provided a resource on its website to check if an internet address has been associated with Kimwolf-infected systems and a list of the most commonly infected Android TV box models.