A formidable new Internet-of-Things (IoT) botnet, dubbed Kimwolf, has rapidly infiltrated over two million devices, weaponizing them for colossal distributed denial-of-service (DDoS) attacks and the propagation of illicit internet traffic. The botnet’s insidious ability to scan and compromise devices within the local networks of infected systems poses a significant and escalating threat to organizations worldwide, with recent research revealing its alarming prevalence within both government and corporate environments. This sophisticated malware leverages the infrastructure of residential proxy services, turning everyday devices into clandestine gateways for malicious operations.

Kimwolf experienced explosive growth in the latter months of 2025 by exploiting a vulnerability within residential proxy services. These services, often marketed as tools for anonymizing and regionalizing web traffic, allow users to route their internet activity through a vast network of geographically diverse endpoints. The malware responsible for turning these endpoints into proxy nodes is frequently bundled discreetly with mobile applications and games, operating without the user’s knowledge. Once installed, it compels the infected device to relay a wide array of malicious and abusive internet traffic, including ad fraud, account takeover attempts, and large-scale content scraping.

The primary target of Kimwolf’s attacks has been proxies provided by IPIDEA, a prominent Chinese service that offers millions of proxy endpoints for rent on a weekly basis. The Kimwolf operators astutely discovered that they could not only relay malicious commands to IPIDEA’s proxy endpoints but also programmatically scan and infect other vulnerable devices situated within the local networks connected to these endpoints. The vast majority of systems compromised through Kimwolf’s local network scanning have been identified as unofficial Android TV streaming boxes. These devices, often based on the Android Open Source Project (AOSP) rather than certified Android TV OS or Play Protect-certified Android devices, are typically marketed as a one-time purchase solution for accessing pirated video content from popular subscription streaming services.

A critical vulnerability exploited by Kimwolf lies in the fact that many of these Android TV boxes are shipped with residential proxy software pre-installed. Furthermore, they generally lack robust security features or authentication mechanisms. This means that any entity capable of communicating directly with the TV box can easily compromise it with malware. While IPIDEA and other affected proxy providers have recently implemented measures to prevent threats like Kimwolf from propagating upstream into their networks, with varying degrees of success, the Kimwolf malware itself remains resident on millions of infected devices.

The widespread presence of Kimwolf on unofficial Android TV boxes and its association with residential proxy networks might initially suggest a limited impact on corporate networks. However, new research conducted by the security firm Infoblox paints a far more concerning picture. A recent review of their customer traffic revealed that nearly 25 percent of their clients had made queries to Kimwolf-related domain names since October 1, 2025, the approximate date of the botnet’s emergence.

Infoblox’s findings indicate that these affected customers are distributed globally and span a diverse range of industry verticals, including education, healthcare, government, and finance. "To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators," Infoblox explained in a statement. "Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query means a scan was made, not that new devices were compromised. Lateral movement would fail if there were no vulnerable devices to be found or if the DNS resolution was blocked."

Synthient, a startup specializing in tracking proxy services and the first to publicly disclose Kimwolf’s unique propagation methods on January 2, 2026, observed an alarming number of IPIDEA proxy endpoints within government and academic institutions globally. Synthient’s analysis detected at least 33,000 affected Internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies operating within various U.S. and foreign government networks.

In a webinar held on January 16, 2026, experts from the proxy tracking service Spur detailed their investigation into Internet addresses associated with IPIDEA and ten other proxy services believed to be vulnerable to Kimwolf’s exploitation. Spur identified residential proxies present in nearly 300 government-owned and operated networks, 318 utility companies, 166 healthcare organizations or hospitals, and 141 companies within the banking and finance sectors.

Riley Kilmer, Co-Founder of Spur, expressed significant concern regarding the findings, particularly the presence of IPIDEA proxies within U.S. Department of Defense (DoD) networks. "I looked at the 298 [government] owned and operated [networks], and so many of them were DoD, which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it," Kilmer stated. "I don’t know how these enterprises have these networks set up. It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t really mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to the proxy would have access to."

Kilmer further emphasized how Kimwolf exemplifies the rapid escalation of threats stemming from a single residential proxy infection, posing significant risks to organizations that harbor unsecured devices behind their firewalls. Proxy services, he noted, offer attackers a relatively straightforward method to probe other devices within an organization’s local network. "If you know you have [proxy] infections that are located in a company, you can choose that [network] to come out of and then locally pivot," Kilmer explained. "If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that."

This report marks the third installment in a series investigating the Kimwolf botnet. Future installments will delve into the individuals and companies in China connected to the Badbox 2.0 botnet, a collective term for a vast array of Android TV streaming box models that are pre-loaded with residential proxy malware and lack any discernible security or authentication measures.

Further reading on the Kimwolf botnet and related threats is available through the following resources:

• The Kimwolf Botnet is Stalking Your Local Network
• Who Benefitted from the Aisuru and Kimwolf Botnets?
• A Broken System Fueling Botnets (Synthient)