Kimwolf Botnet: 2 Million Devices Hacked, Turned Home WiFi into a Criminal Proxy Network -

Post Views: 11

Kimwolf Botnet: 2 Million Devices Hacked, Turned Home WiFi into a Criminal Proxy Network

“Recently, a botnet known as ‘Kimwolf’ became the reason for the hijacking of 2 million devices.”

Security Researchers, Warning

Over 2 million internet-connected devices have been infected globally by a rapidly spreading malware campaign known as Kimwolf, which covertly transforms regular residential internet connections into illicit proxy nodes for cybercriminal activity.

Since it was discovered in late 2025, the botnet has grown alarmingly and is being utilized for a variety of nefarious activities, such as online fraud, spam distribution, account takeover attempts, and distributed denial-of-service (DDoS) attacks that may take down large websites for hours.

Main Objectives and Infection Techniques

According to investigations, the operation mainly targets inexpensive Android TV boxes and digital photo frames, many of which are marketed online with default security settings that are dangerous or inadequate.

Malware was discovered to be pre-installed at the factory level in a number of instances, exposing users even before devices are turned on for the first time.

Explaining Proxy Service Exploitation

The botnet takes use of a structural flaw in the way big residential proxy services function, according to cybersecurity researcher Benjamin Brundage, who discovered the network while examining proxy abuse patterns in October 2025.

Benjamin Brundage, Cybersecurity Researcher

By altering DNS configurations, attackers were able to get around security measures and use compromised proxy endpoints to tunnel into private home networks.

Some proxy providers’ handling of internal network access was a major weakness. Attackers could access devices within residential networks without setting off authentication obstacles once they established a footing, significantly expanding the attack surface.

Security Analysts

The prevalence of Android Debug Bridge (ADB) mode being left active on unofficial or grey-market streaming devices exacerbates the issue. Any attacker on the same network or gaining indirect access through a proxy can take almost complete control of the device with a single command while ADB is enabled.

Vulnerability and Infection Process of ADB

Technically, the infection process is straightforward, yet it works really well. Attackers look for vulnerable devices that have ADB enabled, establish a remote connection, and give the system instructions to download a malware payload from a controlled web address. After the installation is unlocked with a hard-coded passphrase, the device joins the Kimwolf network.

Distribution of Devices and Traffic Relaying

Nearly two-thirds of infected devices appear to be Android TV boxes, according to data gathered during the research. The remaining devices are dispersed among smart photo frames and a smaller number of mobile phones running hidden proxy apps. Devices that have been compromised are compelled to relay traffic for illegal activities, concealing the real source of attacks behind gullible home internet connections.

The botnet’s remarkable persistence was also noted by researchers. The network recovered to almost two million devices in a matter of days after an attempted disruption momentarily cut infections to almost nil. By cycling through enormous pools of new residential proxy endpoints, the malware was able to recover quickly and re-establish itself before defenses could react.

Kimwolf’s operators are thought to be making money off of the infrastructure in a number of ways, including by renting out proxy bandwidth, giving DDoS-for-hire capabilities to other criminal organizations, and selling app-installation services that artificially increase download statistics.

Future Dangers and Security Suggestions

The assault model is likely to proliferate, experts caution. Attackers are increasingly focusing on the nexus of lax hardware security and widespread proxy access as household proxy networks expand and low-cost smart gadgets proliferate.

Customers are advised by security experts to stay away from unapproved streaming devices, turn off pointless remote-debugging capabilities, and, whenever feasible, keep all smart gadgets separated on different networks. In the meantime, there is growing pressure on regulators and proxy service providers to solve architectural flaws that enable home connections to be weaponized without users’ knowledge.

Researchers warn that if coordinated action is not taken, millions more household gadgets might be covertly integrated into criminal infrastructure, transforming regular internet access into an unseen weapon for international crimes.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

India Cyber Shield Summit and Awards Series 12 Feb, 2026