"The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient. "Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality," the company said in an analysis published last week. Kimwolf was first publicly documented by QiAnXin XLab last month, while documenting its connections to another botnet known as AISURU."
"Attacks distributing the botnet have been primarily found to target Android devices running an exposed Android Debug Bridge (ADB) service using a scanning infrastructure that uses residential proxies to install the malware. No less than 67% of the devices connected to the botnet are unauthenticated and have ADB enabled by default. It's suspected that these devices come pre-infected with software development kits (SDKs) from proxy providers so as to surreptitiously enlist them in the botnet."
Kimwolf is an Android-focused botnet assessed as an AISURU variant, active since at least August 2025 and linked to record-setting DDoS attacks. More than two million Android devices have been infected by tunneling through residential proxy networks, with approximately 12 million unique IP addresses observed weekly. Infections concentrate in Vietnam, Brazil, India, and Saudi Arabia. Attackers target devices with exposed Android Debug Bridge (ADB) services, leveraging scanning infrastructure that uses residential proxies to install the malware. At least 67% of connected devices are unauthenticated with ADB enabled by default. Infected systems are monetized through app installs, renting proxy bandwidth, and offering DDoS services.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]