A sophisticated Internet-of-Things (IoT) botnet, dubbed Kimwolf, has rapidly expanded its reach to over 2 million compromised devices, actively participating in massive distributed denial-of-service (DDoS) attacks and relaying other malicious internet traffic. Recent research highlights a disturbing trend: Kimwolf is increasingly prevalent within government and corporate networks, posing a significant threat due to its ability to scan local networks for additional IoT devices to infect. This insidious expansion was facilitated by exploiting vulnerabilities in residential proxy services, which are often bundled with seemingly innocuous mobile applications and games. These services, designed to anonymize and localize web traffic, inadvertently provide Kimwolf operators with a gateway to probe and compromise internal networks.

The rapid growth of Kimwolf in the latter half of 2025 was primarily driven by its exploitation of residential proxy services, particularly China-based IPIDEA, which boasts millions of proxy endpoints. Kimwolf operators discovered a critical vulnerability: they could forward malicious commands to devices within the local networks of these proxy endpoints. This enabled them to programmatically scan for and infect other vulnerable IoT devices connected to the same local network. The most commonly compromised devices identified through this local network scanning are unofficial Android TV streaming boxes. These devices, often running on the Android Open Source Project (AOSP) and not certified by Google Play Protect, are marketed as a cost-effective way to access a vast library of pirated video content. Alarmingly, many of these TV boxes come with residential proxy software pre-installed and lack fundamental security or authentication mechanisms, making them easy targets for malware.

While IPIDEA and other affected proxy providers have reportedly made efforts to mitigate upstream threats from reaching their endpoints, the Kimwolf malware remains embedded on millions of infected devices. The widespread presence of compromised Android TV boxes and their association with residential proxy networks might initially suggest a limited impact on corporate environments. However, recent analysis by the security firm Infoblox reveals a startling prevalence of Kimwolf activity within its customer base. Infoblox reported that nearly 25% of its customers made queries to Kimwolf-related domain names since October 1, 2025, the approximate date of the botnet’s emergence. These affected customers span diverse industries and geographical locations, including education, healthcare, government, and finance.

Infoblox clarified that this statistic indicates that approximately 25% of their customers had at least one device acting as an endpoint for a residential proxy service targeted by Kimwolf operators. Such a device, whether a smartphone or a laptop, could be co-opted by threat actors to probe the local network for vulnerable devices. A query, in this context, signifies a scan attempt, not necessarily a successful compromise. The success of lateral movement would depend on the presence of vulnerable devices or the effectiveness of DNS resolution blocking.

Synthient, a startup specializing in tracking proxy services and the first to disclose Kimwolf’s unique propagation methods on January 2, 2026, observed a significant number of IPIDEA proxy endpoints within government and academic institutions globally. Synthient’s research identified at least 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies operating within various U.S. and international government networks. This finding underscores the infiltration of sensitive sectors by this burgeoning botnet.

Further insights into Kimwolf’s reach were provided by experts at the proxy tracking service Spur during a webinar on January 16, 2026. Spur analyzed internet addresses associated with IPIDEA and ten other proxy services believed to be vulnerable to Kimwolf’s exploitation. Their findings revealed residential proxies within approximately 300 government-owned and operated networks, 318 utility companies, 166 healthcare organizations and hospitals, and 141 financial institutions.

Riley Kilmer, Co-Founder of Spur, expressed significant concern over the presence of IPIDEA proxies within U.S. Department of Defense (DoD) networks. "I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S. Department of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it," Kilmer stated. While acknowledging that network segmentation might limit the immediate impact of such compromises, Kilmer emphasized the inherent risk: "It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t really mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to the proxy would have access to."

Kilmer highlighted Kimwolf as a prime example of how a single compromised residential proxy can rapidly escalate into substantial problems for organizations harboring unsecured devices behind their firewalls. Proxy services, he explained, offer a straightforward pathway for attackers to probe other devices within an organization’s local network. "If you know you have [proxy] infections that are located in a company, you can choose that [network] to come out of and then locally pivot," Kilmer elaborated. "If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that."

This report is the third in a series examining the Kimwolf botnet. Future installments will delve into the individuals and companies in China linked to the Badbox 2.0 botnet, a collective term for a vast array of Android TV streaming box models that notoriously ship with pre-installed residential proxy malware and a severe lack of security or authentication.

For further reading on the Kimwolf botnet and related threats, consult the following resources:

• The Kimwolf Botnet is Stalking Your Local Network
• Who Benefitted from the Aisuru and Kimwolf Botnets?
• A Broken System Fueling Botnets (Synthient)