Breaking: Kimwolf Android Botnet Abuses Residential Proxies To Infect...

The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks.

Researchers observed increased activity for the malware since last August. Over the past month, Kimwolf has intensified its scanning of proxy networks, searching for devices with exposed Android Debug Bridge (ADB) services.

Common targets are Android-based TV boxes and streaming devices that allow unauthenticated access over ADB. Compromised devices are primarily used in distributed denial-of-service (DDoS) attacks, proxy resale, and monetizing app installations via third-party SDKs like Plainproxies Byteconnect.

The Aisuru botnet is currently responsible for the largest DDoS attack publicly disclosed, which peaked at 29.7 terabits per second as measured by Cloudflare.

A report from XLab notes that the Kimwolf Android botnet had more than 1.8 million compromised devices on December 4.

Researchers at threat intelligence and anti-fraud cybersecurity company Synthient have been tracking Kimwolf activity. They say that the number of compromised devices has climbed to nearly two million, and produced around 12 million unique IP addresses each week.

Most of the infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia. In many cases, the systems were compromised by proxy SDKs before purchase, which was reported in the past.

According to Synthient, Kimwolf’s rapid growth is largely due to its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client.

Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222.

The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices. When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices.

Source: BleepingComputer