• Kimwolf botnet has infected over 2 million IoT devices, enabling massive DDoS attacks. • It scans local networks of compromised systems to spread to additional vulnerable devices. • Research shows Kimwolf is unexpectedly common in government and corporate networks. • The botnet exploits residential proxy services, especially IPIDEA, to relay malicious commands. • Unofficial Android TV streaming boxes are the primary targets for local network infections. • Malware is often bundled with mobile apps and games, silently turning devices into proxy nodes.
Article Summaries:
- A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks. Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into rel
- A new IoT botnet, Kimwolf, has infected more than 2 million devices, using compromised residential proxy services-particularly IPIDEA-to spread malware across local networks. The botnet scans for vulnerable devices, mainly targeting unofficial Android TV boxes that ship with pre‑installed proxy software and little security. Infected proxies then relay malicious traffic, including DDoS attacks, ad fraud, and account takeovers. Despite recent efforts by proxy providers to block upstream traffic, Kimwolf remains active. A study by Infoblox found that nearly 25 % of its customers, spanning education, healthcare, government, and finance, have queried Kimwolf‑related domains since October 2025, indicating widespread exposure.
Sources: