TL;DR
Security researchers linked the Kimwolf botnet — which has infected over two million Android TV devices — to infrastructure and services used to sell residential proxies and relay malicious traffic. Analysis ties the botnet strains Aisuru and Kimwolf to shared code and at least one IP address assigned to a U.S. hosting firm; several proxy providers and forum communities appear to have benefited.
What happened
Researchers found that Kimwolf, a destructive botnet that co-opted more than two million unofficial Android TV streaming boxes, was being used to run DDoS attacks and to turn infected devices into residential proxies. XLab reported shared code changes and observed both Kimwolf and an earlier strain called Aisuru being distributed from the same IP address (93.95.112[.]59), indicating common operators. That IP range is assigned to Resi Rack LLC, a Utah-based hosting outfit whose co-founder said the company acted after receiving a notice about abuse. Open-source traces and the monitoring firm Synthient show proxy sellers and members of a Discord community (resi[.]to) posting IPs tied to Kimwolf traffic; some active participants used handles that match Resi Rack principals. Analysts also linked the botnet’s proxy payloads to a ByteConnect SDK distributed by Plainproxies, and flagged involvement of another proxy seller, Maskify. After the reporting, the Discord records were erased, the server disappeared and related sites and channels saw disruptive activity.
Why it matters
- Compromised consumer devices can be repurposed to support large-scale fraud, scraping and DDoS operations without owners’ knowledge.
- Commercial proxy services and SDKs can be abused to monetize botnet-sourced traffic, blurring lines between legitimate infra and criminal exploitation.
- Connections between hosting providers, proxy resellers and botnet operators highlight weak spots in the service supply chain that enable cybercrime.
- The rapid removal of public chat logs and retaliatory disruptions after disclosure complicate transparency and independent tracking of abuse.
Key facts
- Kimwolf infected more than two million unofficial Android TV streaming boxes and was used for DDoS and residential proxying.
- XLab researchers found definitive evidence linking Kimwolf and the earlier Aisuru botnet to the same actors and infrastructure.
- Both botnet strains were observed being distributed from IP 93.95.112[.]59 on Dec. 8, 2025; that address is assigned to Resi Rack LLC in Lehi, Utah.
- Resi Rack’s co-founder, Cassidy Hales, said the company received notice on Dec. 10 and addressed the reported abuse.
- Synthient and other investigators tracked multiple static Resi Rack IP addresses used for Kimwolf proxy traffic between October and December 2025.
- A Discord community called resi[.]to was used to advertise and exchange proxy endpoints tied to the botnet; that server was erased and taken offline on Jan. 2, 2026.
- The ByteConnect SDK (distributed by Plainproxies) was found installed on compromised devices; connecting to it coincided with credential-stuffing and other abusive activity.
- Linked sources show Plainproxies’ CEO (Friedrich Kraft) also operates a hosting company, 3XK Tech GmbH, which Cloudflare and others have previously linked to high volumes of app-layer DDoS and scanning activity.
- Maskify advertised millions of residential addresses and unusually low pricing for proxy bandwidth; investigators warned those prices may indicate illicit sourcing.
What to watch next
- Whether law enforcement or hosting providers take enforcement action against the hosting and proxy services named in these investigations — not confirmed in the source
- Whether the claims circulating in chat channels about 3.5 million infected devices are accurate — not confirmed in the source
- Whether ByteConnect/Plainproxies and Maskify will publicly respond or face disruption from the disclosure — not confirmed in the source
Quick glossary
- Botnet: A network of compromised devices controlled by attackers and used to carry out coordinated malicious activities such as DDoS, spam, or proxying traffic.
- Residential proxy: An internet relay service that routes traffic through IP addresses assigned to consumer ISPs, often used to appear as ordinary residential users.
- DDoS (Distributed Denial of Service): An attack that floods a target with traffic from multiple sources to overwhelm services and cause outages.
- Credential stuffing: An automated attack that tries lists of breached usernames and passwords against online services to hijack accounts when credentials are reused.
- SDK (Software Development Kit): A collection of software tools and libraries developers include in apps to add features; can be abused if it performs unwanted network activity.
Reader FAQ
Who operated the Kimwolf and Aisuru botnets?
Researchers found shared code and common distribution points indicating the same operators; chat handles ‘Dort’ and ‘Snow’ were named in investigator conversations, but formal identities are not confirmed in the source.
How many devices were infected?
Kimwolf was reported to have infected more than two million devices; an exact total for Aisuru or combined counts beyond that are not confirmed in the source.
Are the named companies legally responsible?
Resi Rack acknowledged being notified and said it addressed the issue; whether any firm is legally culpable or will face charges is not confirmed in the source.
Did proxy providers know they were reselling botnet-sourced bandwidth?
Investigators said resellers likely understood what they were selling given pricing and discussions in forums, but explicit proof of intent by specific companies is not confirmed in the source.
January 8, 2026 0 Comments Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number…
Sources
- Who Benefited from the Aisuru and Kimwolf Botnets?
- The Kimwolf Botnet is Stalking Your Local Network
- 2M Devices at Risk as Kimwolf Botnet Abuses Proxy …
- Kimwolf Android Botnet Grows Through Residential Proxy …
Related posts
- Landline and internet services cut in parts of Iran amid nationwide protests
- Interactive Iran Protest Map tracks 82 visible incidents — Verified Incident Tracker
- Alaska Arrests Spotlight American Samoans’ Denied Voting Rights