"Security company Synthient estimates that the number of infected devices has now exceeded 2 million. The network primarily targets Android devices with an unsecured Android Debug Bridge (ADB) connection. It is noteworthy that the infections occur via residential proxies. Proxy providers are advised to block high-risk ports and restrict access to the local network. Users can check whether they have been affected at synthient.com/check. Infected TV boxes must be wiped or destroyed. Organizations must block connections to the aforementioned C2 servers and domains."
"The rapid growth is due to a new way it exploits residential proxy networks. Cloudflare reported that Kimwolf carried out DDoS attacks with peak rates of up to 29.7 Tbps or 14.1 Bpps. The actors behind the botnet earn money from app installations, the sale of residential proxy bandwidth, and DDoS functionality. Synthient's honeypot network recorded an increase in targeting of the domain xd[.]resi[.]to from the IPIDEA proxy network on November 12. This domain points to 0[.]0[.]0[.]0,"
Kimwolf has infected an estimated two million Android devices since early August 2025 by exploiting unsecured Android Debug Bridge (ADB) connections and leveraging residential proxy networks. The botnet functions as the Android variant of Aisuru and expanded rapidly using novel exploitation of proxy infrastructure. Cloudflare observed DDoS peaks reaching 29.7 Tbps and 14.1 Bpps. Operators monetize the network through app installs, selling residential proxy bandwidth, and DDoS services. Synthient observed specific targeting of the domain xd[.]resi[.]to via the IPIDEA proxy network. Recommended responses include blocking high-risk ports, restricting local network access, wiping infected TV boxes, and blocking C2 servers and domains.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]