Kimwolf Botnet: Corporate & Government Networks Targeted

by priyanka.patel tech editor

Kimwolf Botnet Infiltrates Millions of Devices, Including Government and Corporate Networks

A rapidly spreading Internet-of-Things (IoT) botnet dubbed Kimwolf has compromised over 2 million devices globally, leveraging them to launch large-scale distributed denial-of-service (DDoS) attacks and facilitate other malicious online activities. New research indicates the botnet’s unique ability to scan local networks for additional vulnerable IoT devices poses a significant threat, with surprisingly widespread infections detected within government and corporate infrastructures.

Kimwolf gained momentum in late 2025 by exploiting “residential proxy” services, tricking them into relaying malicious commands to devices on their networks. These proxy services, marketed as a means to anonymize and localize web traffic, allow users to route their internet activity through devices located in virtually any geographic region.

The malware often arrives bundled with seemingly innocuous mobile applications and games, quietly converting infected devices into proxy nodes that relay illicit traffic – including ad fraud, account takeover attempts, and large-scale data scraping. According to security analysts, the botnet primarily targeted proxies provided by IPIDEA, a Chinese service boasting millions of available endpoints. Kimwolf operators discovered a method to forward malicious commands through IPIDEA’s network, enabling them to scan for and infect other vulnerable devices on each endpoint’s local network.

The majority of systems compromised through this local network scanning have been unofficial Android TV streaming boxes, typically running the Android Open Source Project rather than the more secure Android TV OS or Play Protect certified versions. These devices are often marketed as a low-cost solution for accessing unlimited – and often pirated – streaming content. Many of these boxes are pre-loaded with residential proxy software and lack fundamental security features, making them easily compromised if directly accessible.

While IPIDEA and other affected proxy providers have reportedly taken steps to block Kimwolf’s upstream access, the malware persists on millions of infected devices. This raises concerns about the botnet’s continued activity and potential for future attacks.

Initially, the association with residential proxies and compromised TV boxes suggested limited corporate network penetration. However, a recent analysis by the security firm Infoblox revealed that nearly 25 percent of its customers had queried a Kimwolf-related domain name since October 1, 2025, when the botnet first became active.

Infoblox’s findings indicate affected customers span diverse industries worldwide, including education, healthcare, government, and finance. “To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” a company release explained. “Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices.” The firm clarified that a query indicates a scan attempt, not necessarily a successful compromise, and that lateral movement would be blocked if no vulnerable devices were present or DNS resolution was interrupted.

Further investigation by Synthient, a startup specializing in proxy service tracking, revealed alarming numbers of IPIDEA proxy endpoints within government and academic institutions globally. Synthient identified at least 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within U.S. and foreign government networks.

A webinar hosted by the proxy tracking service Spur on January 16 profiled internet addresses associated with IPIDEA and ten other potentially vulnerable proxy services. Spur discovered residential proxies operating within nearly 300 government networks, 318 utility companies, 166 healthcare organizations, and 141 banking and finance companies. “I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S. Department of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it,” Spur Co-Founder Riley Kilmer stated. Kilmer cautioned that while network segregation might limit the impact of some infections, the presence of compromised devices represents a significant risk. “If a device goes in, anything that device has access to the proxy would have access to.”

Kilmer emphasized that Kimwolf highlights how a single residential proxy infection can quickly escalate into broader organizational problems, particularly in environments with unsecured devices behind firewalls. Proxy services, he noted, provide attackers with a relatively simple method to probe local networks for additional targets. “If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out of and then locally pivot,” Kilmer explained. “If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that.”

This report is the third in a series examining the Kimwolf botnet. Next week’s installment will focus on the individuals and companies in China connected to Badbox 2.0, a collective term for a vast number of Android TV streaming box models lacking essential security features and pre-installed with residential proxy malware.

Further reading:
The Kimwolf Botnet is Stalking Your Local Network
Who Benefitted from the Aisuru and Kimwolf Botnets?
A Broken System Fueling Botnets (Synthient).

You may also like

Leave a Comment