The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks.

Researchers observed increased activity for the malware since last August. Over the past month, Kimwolf has intensified its scanning of proxy networks, searching for devices with exposed Android Debug Bridge (ADB) services.

Common targets are Android-based TV boxes and streaming devices that allow unauthenticated access over ADB. Compromised devices are primarily used in distributed denial-of-service (DDoS) attacks, proxy resale, and monetizing app installations via third-party SDKs like Plainproxies Byteconnect.

The Aisuru botnet is currently responsible for the largest DDoS attack publicly disclosed, which peaked at 29.7 terabits per second as measured by Cloudflare.

A report from XLab notes that the Kimwolf Android botnet had more than 1.8 million compromised devices on December 4.

Researchers at threat intelligence and anti-fraud cybersecurity company Synthient have been tracking Kimwolf activity. They say that the number of compromised devices has climbed to nearly two million, and produced around 12 million unique IP addresses each week.

Most of the infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia. In many cases, the systems were compromised by proxy SDKs before purchase, which was reported in the past.

Abusing residential proxies

According to Synthient, Kimwolf’s rapid growth is largely due to its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client.

Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222.

The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices. When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices.

When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution, written to /data/local/tmp.

Synthient captured multiple payload variants throughout December, but the delivery methods remained unchanged.

The researchers found high exposure rates in one sample residential proxy pool, underscoring that such devices can be exploited within minutes of joining these networks.

"Upon analyzing exposed devices part of IPIDEAs proxy pool, we found that 67% of all Android devices are unauthenticated, leaving them vulnerable to remote code execution," Synthient explains.

"From our scans, we found approximately 6 million vulnerable IPs […] These devices are often shipped pre-infected with SDKs from proxy providers," the researchers say.

IPIDEA, one of the impacted proxy providers and a top Kimwolf target because it enabled access to all ports, responded to Synthient’s alert on December 28 by blocking access to local networks and a broad range of ports.

In total, the researchers sent almost a dozen vulnerability reports "to the top proxy providers" observed in Kimwolf activity. However, researchers cannot confidently determine all the proxy providers targeted by the malware.

Protecting against Kimwolf

Synthient has published an online scanner tool to help users identify if any of their network devices are part of the Kimwolf botnet.

In the case of a positive result, the researchers suggest that infected TV boxes should be "wiped or destroyed," otherwise the botnet will persist.

The general recommendation is to avoid low-cost generic Android TV boxes and to prefer ‘Google Play Protect certified’ devices from reputable OEMs, such as Google’s Chromecast, NVIDIA Shield TV, and Xiaomi Mi TV Box.