Synthient found that Kimwolf tunneled through home proxy networks to infect over 2 million Android devices.
"Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality," the company claimed last week.
Last month, QiAnXin XLab revealed Kimwolf's ties to AISURU. Kimwolf, an Android AISURU version, has been active since August 2025. Recent evidence suggests the botnet was behind a number of record-setting DDoS attacks late last year.
Malware uses infected systems to send malicious traffic and launch large-scale DDoS attacks. Most infections occur in Vietnam, Brazil, India, and Saudi Arabia, with Synthient observing 12 million distinct IP addresses per week.
Botnet attacks mostly target Android devices with an exposed Android Debug Bridge (ADB) service utilizing a scanning infrastructure that leverages residential proxies to install malware. At least 67% of botnet devices are unauthenticated and have ADB enabled by default.
Proxy providers may pre-infect these devices with SDKs to secretly join the botnet. Unofficial Android smart TVs and set-top boxes are the most compromised.
Using proxy IP addresses that were made available for rent by China-based IPIDEA, which had applied a security patch on December 27 to limit access to local network devices and numerous vulnerable ports, Kimwolf infections had been exploited as recently as December 2025. According to IPIDEA, it is the "world's leading provider of IP proxy" since it has more than 6.1 million IP addresses that are updated every day and 69,000 IP addresses that are added every day.
To put it another way, the method of operation is to make use of IPIDEA's proxy network as well as other proxy providers, and then to tunnel through the local networks of systems that are running the proxy software in order to drop the virus. In order to accept additional commands, the primary payload is configured to listen on port 40860 and establish a connection to 85.234.91[.]247:1337.
"The scale of this vulnerability was unprecedented, exposing millions of devices to attacks," according to Synthient Technologies.
In addition, the attacks infect the devices with a bandwidth monetization service known as Plainproxies Byteconnect SDK, which is an indication of broader attempts to monetize the devices. The Software Development Kit (SDK) makes use of 119 relay servers, which are responsible for receiving proxy duties from a command-and-control server. These tasks are subsequently carried out by affected devices.
According to Synthient, the company has identified the infrastructure that is being utilized to carry out credential-stuffing attacks that are directed against IMAP servers and major websites on the internet.
"Kimwolf's monetization strategy became apparent early on through its aggressive sale of residential proxies," the business stated in its announcement. "By offering proxies as low as 0.20 cents per GB or $1.4K a month for unlimited bandwidth, it would gain early adoption by several proxy providers."
"The discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs like Byteconnect indicates a deepening relationship between threat actors and commercial proxy providers."
It is advised that proxy providers restrict queries to RFC 1918 addresses, which are Private Internet Protocol address ranges that are defined for usage in private networks. This is done in order to mitigate the risk. In order to avoid unwanted access, it is recommended that organizations securely lock down any devices that are running unauthenticated ADB shells.
