The Kimwolf botnet, a new threat targeting Internet-of-Things (IoT) devices, has reportedly infected over 2 million systems. These compromised devices are then used to launch large-scale distributed denial-of-service (DDoS) attacks and facilitate other harmful internet traffic. A significant concern is Kimwolf’s capability to scan local networks of infected systems to find and compromise additional IoT devices. Recent studies indicate a surprising presence of Kimwolf within government and corporate networks.
Kimwolf expanded quickly in late 2025 by exploiting “residential proxy” services. It manipulated these services to forward malicious commands to devices located on the local networks of their proxy endpoints. Residential proxies offer users the ability to anonymize and localize their web traffic to specific geographic areas, with major services enabling internet activity routing through devices worldwide.
Malware that transforms an internet connection into a proxy node is frequently hidden within mobile applications and games. This malware then compels the infected device to transmit harmful and abusive traffic, such as ad fraud, attempts at account takeover, and extensive content scraping.
The botnet primarily focused on proxies from IPIDEA, a Chinese service offering millions of proxy endpoints weekly. Kimwolf’s operators found a method to forward malicious commands to the internal networks of IPIDEA’s proxy endpoints. This allowed them to systematically scan for and infect other susceptible devices within each endpoint’s local network.
A majority of the systems compromised via Kimwolf’s local network scanning were unofficial Android TV streaming boxes. These devices, often based on the Android Open Source Project rather than certified Android TV OS or Play Protect, are commonly advertised for accessing unlimited (often pirated) video content from popular streaming services for a single payment.
Many of these TV boxes are sold with residential proxy software already installed. Furthermore, they often lack robust security or authentication features, making them vulnerable to malware if direct communication with the device is established.
Although IPIDEA and other impacted proxy providers have recently implemented measures to prevent threats like Kimwolf from infiltrating their endpoints (with reported mixed success), the Kimwolf malware persists on millions of compromised devices.
Given Kimwolf’s strong link to residential proxy networks and vulnerable Android TV boxes, one might expect minimal infections within corporate environments. However, security firm Infoblox reported that a recent analysis of its customer traffic revealed nearly 25 percent of customers made a query to a Kimwolf-associated domain name since October 1, 2025, the botnet’s initial appearance.
Infoblox observed that the affected customers span various global locations and industry sectors, including education, healthcare, government, and finance.
Infoblox clarified that this finding indicates approximately 25% of their customers had at least one device acting as an endpoint in a residential proxy service targeted by Kimwolf. Such a device, potentially a phone or laptop, was essentially repurposed by the threat actor to scan the local network for vulnerable systems. A query signifies a scan attempt, not necessarily a new compromise. Lateral movement would be unsuccessful if no vulnerable devices were present or if DNS resolution was blocked.
Synthient, a startup specializing in proxy service tracking and the first to reveal Kimwolf’s unique propagation methods on January 2, identified a concerning number of IPIDEA proxy endpoints within government and academic institutions globally. Synthient reported detecting at least 33,000 affected internet addresses at universities and colleges, along with nearly 8,000 IPIDEA proxies within various U.S. and international government networks.
During a January 16 webinar, experts from the proxy tracking service Spur analyzed internet addresses linked to IPIDEA and ten other proxy services believed susceptible to Kimwolf’s tactics. Spur discovered residential proxies within nearly 300 government-owned and operated networks, 318 utility companies, 166 healthcare organizations or hospitals, and 141 banking and finance firms.
Riley Kilmer, Spur Co-Founder, noted that a significant portion of the 298 government-owned and operated networks identified belonged to the U.S. Department of Defense, raising concerns about the presence of IPIDEA and similar proxy services within DoD infrastructure. Kilmer acknowledged that the network configurations of these enterprises are unknown, and infected devices might be segregated, potentially limiting the impact of local access. However, the presence of such devices means that anything accessible to the infected device could also be accessed via the proxy.
Kilmer highlighted that Kimwolf illustrates how a single residential proxy infection can rapidly escalate into more significant issues for organizations hosting unsecured devices behind their firewalls. Proxy services, Kilmer added, offer a potentially straightforward method for attackers to investigate other devices within a targeted organization’s local network.
Kilmer explained that if an attacker identifies proxy infections within a company, they can leverage that network as an egress point and then pivot locally. This provides a foothold within an organization or enterprise based solely on the initial infection.
