Our initial investigation in early 2026 exposed the alarming spread of Kimwolf, a potent new botnet that had infected over two million devices, primarily through the mass exploitation of numerous unofficial Android TV streaming boxes. This follow-up delves into the digital breadcrumbs left behind, revealing the network operators, hackers, and services that appear to have reaped significant rewards from Kimwolf’s pervasive reach. The threat actor’s infrastructure is intrinsically linked to Aisuru, an earlier iteration of the same botnet, indicating a sustained and evolving malicious operation.

On December 17, 2025, the prominent Chinese cybersecurity firm XLab published a comprehensive analysis of Kimwolf. This botnet’s primary functions include forcing infected devices to participate in distributed denial-of-service (DDoS) attacks and to act as relays for illicit internet traffic, serving what are known as "residential proxy" services. These services are often surreptitiously bundled within mobile applications and games, with Kimwolf specifically targeting residential proxy software pre-installed on a staggering array of over a thousand different models of unsanctioned Android TV streaming devices. The malicious traffic routed through these compromised devices is frequently associated with sophisticated operations such as ad fraud, account takeover attempts, and large-scale content scraping. XLab’s researchers unearthed "definitive evidence" indicating that the same cybercriminal actors and the underlying infrastructure were responsible for deploying both Kimwolf and its predecessor, the Aisuru botnet, which also enslaved devices for DDoS attacks and proxy services. The suspicions of shared authorship and operation between Kimwolf and Aisuru, initially formulated in October based on observed code similarities, were definitively confirmed on December 8 when both botnet strains were observed being distributed from the same Internet address: 93.95.112[.]59.

This IP address range, flagged by XLab, is publicly registered to Resi Rack LLC, a company based in Lehi, Utah. Resi Rack’s public-facing website promotes itself as a "Premium Game Server Hosting Provider." However, their advertisements on the online moneymaking forum BlackHatWorld paint a different picture, describing the company as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company." Cassidy Hales, a co-founder of Resi Rack, acknowledged receiving a notification on December 10 regarding Kimwolf’s utilization of their network, stating, "that detailed what was being done by one of our customers leasing our servers." Hales further commented, "When we received this email we took care of this issue immediately. This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever." The specific Resi Rack IP address identified by XLab had already come to the attention of KrebsOnSecurity over two weeks prior. Benjamin Brundage, founder of Synthient, a startup that monitors proxy services, reported in late October 2025 that individuals offering proxy services leveraging the Aisuru and Kimwolf botnets were operating from a new Discord server named resi[.]to.

Upon joining the resi[.]to Discord server as an observer in late October, KrebsOnSecurity noted fewer than 150 members. Among these were "Shox," the known alias for Resi Rack co-founder Cassidy Hales, and his business partner "Linus," who did not respond to inquiries. Other members of the resi[.]to Discord server frequently posted new IP addresses responsible for proxying traffic through the Kimwolf botnet. Evidence suggests that the Resi Rack IP address flagged by XLab was actively used by Kimwolf to direct proxy traffic as early as November 24, 2025, and potentially earlier. Synthient’s tracking indicated the use of at least seven static Resi Rack IP addresses connected to Kimwolf’s proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners provided responses to further questions. Both have been actively involved in selling proxy services via Discord for approximately two years. Intelligence from the cyber firm Flashpoint reveals that "Shox" and "Linus" spent much of 2024 offering static "ISP proxies," which involved routing internet address blocks from major U.S. Internet Service Providers. However, in February 2025, AT&T announced a policy change, effective July 31, 2025, to cease originating routes for network blocks not owned and managed by AT&T, a move mirrored by other major ISPs. This policy shift prompted "Shox" and "Linus" to inform their customers that they would soon discontinue offering static ISP proxies.

The individual identified as the owner of the resi[.]to Discord server used the abbreviated username "D.," which is believed to be short for the hacker handle "Dort." This moniker, "Dort," was frequently mentioned throughout the Discord communications. The name "Dort" also surfaced in recent conversations KrebsOnSecurity had with "Forky," a Brazilian individual who admitted to marketing the Aisuru botnet at its inception in late 2024. However, Forky vehemently denied any involvement in the massive, record-breaking DDoS attacks in the latter half of 2025 attributed to Aisuru, claiming the botnet had been taken over by rivals by that point. Forky asserts that Dort is a Canadian resident and one of at least two individuals currently controlling the Aisuru/Kimwolf botnet. The other individual identified by Forky as an Aisuru/Kimwolf botmaster is known by the nickname "Snow." On January 2, mere hours after the initial Kimwolf story was published, the historical chat records on resi[.]to were inexplicably erased and replaced with a profanity-laden message directed at Synthient’s founder. Shortly thereafter, the entire server vanished. Later that same day, several active members of the now-defunct resi[.]to Discord server migrated to a Telegram channel. There, they proceeded to publish Brundage’s personal information and expressed frustration over their inability to secure reliable "bulletproof" hosting for their botnet operations. Amusingly, a user named "Richard Remington" briefly appeared on the group’s Telegram server, posting a crude "Happy New Year" sketch claiming Dort and Snow now controlled 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously indicated that its owner operated a website catering to DDoS-for-hire or "stresser" services seeking to test their capabilities.

Research from both Synthient and XLab revealed that Kimwolf was instrumental in deploying programs that transformed compromised systems into internet traffic relays for a variety of residential proxy services. One such component integrated a software development kit (SDK) known as ByteConnect, distributed by a provider called Plainproxies. ByteConnect claims to specialize in "monetizing apps ethically and free," while Plainproxies advertises the ability to supply content scraping companies with "unlimited" proxy pools. However, Synthient’s analysis of ByteConnect’s SDK indicated a significant influx of credential-stuffing attacks targeting email servers and popular online platforms. A LinkedIn search identifies Friedrich Kraft as the CEO of Plainproxies and co-founder of ByteConnect Ltd. Public internet routing records show Mr. Kraft also operates a German hosting firm, 3XK Tech GmbH. Mr. Kraft did not respond to repeated interview requests. In July 2025, Cloudflare reported that 3XK Tech (also known as Drei-K-Tech) had become the internet’s largest source of application-layer DDoS attacks. In November 2025, GreyNoise Intelligence identified internet addresses associated with 3XK Tech as responsible for approximately three-quarters of the internet scanning conducted at the time for a newly discovered, critical vulnerability in Palo Alto Networks security products. Julia Levi, also listed as a co-founder of ByteConnect, is identified on LinkedIn as an employee of Plainproxies. Ms. Levi did not respond to requests for comment. Her resume indicates prior employment with two major proxy providers: Netnut Proxy Network and Bright Data. Synthient noted that Plainproxies had also ignored their outreach, and the ByteConnect SDK remains active on devices compromised by Kimwolf.

Synthient’s January 2 report highlighted another proxy provider heavily involved in the sale of Kimwolf proxies: Maskify. This provider currently advertises on multiple cybercrime forums that it offers access to over six million residential internet addresses for rent. Maskify prices its service at a remarkably low rate of 30 cents per gigabyte of data relayed through their proxies, a price point significantly cheaper than any other contemporary proxy provider. Synthient’s research team obtained screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash. The report suggests this approach likely facilitated early development, with associated members reinvesting earnings into infrastructure and outsourced development tasks. It is important to note that resellers are fully aware of the nature of their offerings; proxies at these price points are not ethically sourced. Maskify did not respond to requests for comment.

Hours after the initial Kimwolf story was published, the resi[.]to Discord server disappeared. Subsequently, Synthient’s website was subjected to a DDoS attack, and the Kimwolf botmasters resorted to doxing Brundage by leveraging their botnet. These harassing messages were disseminated as text records uploaded to the Ethereum Name Service (ENS), a decentralized system built on the Ethereum blockchain. As documented by XLab in mid-December, the Kimwolf operators upgraded their infrastructure to utilize ENS, thereby enhancing their resilience against takedown efforts targeting the botnet’s control servers. By directing infected systems to locate Kimwolf control servers via ENS, even if the servers used by the botmasters are compromised, the attackers can simply update the ENS text record with the new control server address, ensuring infected devices can continue to receive instructions. XLab noted, "This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked." The text records embedded within Kimwolf’s ENS instructions can also contain brief messages, such as those that disseminated Brundage’s personal information. Other ENS text records associated with Kimwolf conveyed a chilling directive: "If flagged, we encourage the TV box to be destroyed." Both Synthient and XLab confirm that Kimwolf targets a vast number of Android TV streaming box models, all of which possess negligible security protections, and many of which are pre-loaded with proxy malware. Generally, any device capable of receiving a data packet can also be subjected to administrative control. Owners of TV boxes matching the listed models are strongly advised to disconnect them from their networks. Furthermore, if such a device is encountered on a network belonging to a friend or family member, it is crucial to share this information and explain the significant potential for harm and hassle associated with keeping them connected.