• Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. • Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to have benefitted from Kimwolf’s spread. • 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for so-called “residential proxy” services. • The software that turns one’s device into a residential proxy is often quietly bundled with mobile apps and games. • Kimwolf specifically targeted residential proxy software that is factory installed on more than a thousand different models of unsanctioned Android TV streaming devices. • Very quickly, the residential proxy’s Internet address starts funneling traffic that is linked to ad fraud, account takeover attempts and mass content scraping.

Article Summaries:

  • Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to have benefitted from Kimwolf’s spread. On Dec. 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for so-called “resident
  • XLab’s December 2025 report linked the Kimwolf botnet-now infecting over two million Android‑TV streaming boxes-to the earlier Aisuru strain. Both botnets force devices into DDoS attacks and residential‑proxy services that funnel traffic for ad fraud, account takeovers and content scraping. XLab identified shared code changes and, on Dec. 8, observed both botnets being distributed from the same IP, 93.95.112.59, owned by Lehi, Utah‑based Resi Rack LLC. Resi Rack, marketed as a game‑server host, also advertises residential‑proxy solutions. Co‑founder Cassidy Hales confirmed the company was unaware of the illicit use of its servers and acted quickly to remove the offending traffic.

Sources: