Executive Summary

The Kimwolf Android botnet represents a significant escalation in the threat landscape for Android-based devices, having infected over 2 million endpoints globally by exploiting exposed Android Debug Bridge (ADB) interfaces and leveraging residential proxy networks. This campaign, first identified by QiAnXin XLab and corroborated by multiple security research teams, demonstrates a sophisticated blend of large-scale automated exploitation, advanced evasion techniques, and aggressive monetization. The botnet’s operators have weaponized a vast array of unofficial Android smart TVs, set-top boxes, and IoT devices, transforming them into nodes for distributed denial-of-service (DDoS) attacks, credential stuffing, and the sale of residential proxy bandwidth. The campaign’s technical complexity, global reach, and rapid evolution underscore the urgent need for robust mitigation strategies across both enterprise and consumer environments.

Threat Actor Profile

While no direct attribution to a known advanced persistent threat (APT) group has been established, the Kimwolf operation exhibits hallmarks of a highly organized and financially motivated cybercriminal enterprise. The infrastructure and tactics bear resemblance to the earlier AISURU botnet, with which Kimwolf shares code and operational overlap. The threat actors behind Kimwolf have demonstrated proficiency in exploiting supply chain weaknesses, particularly through the distribution of malicious or pre-infected software development kits (SDKs) embedded in third-party applications and device firmware. Their monetization model is multifaceted, encompassing DDoS-for-hire services, credential stuffing campaigns, and the aggressive commercialization of residential proxy bandwidth via platforms such as IPIDEA. The campaign’s resilience is further enhanced by the use of blockchain-based command and control (C2) domains and DNS over TLS, complicating takedown efforts and attribution.

Technical Analysis of Malware/TTPs

Kimwolf propagates primarily through exposed ADB interfaces, which are often left enabled and unauthenticated on unofficial Android-based devices, including smart TVs, set-top boxes, and IoT endpoints. The botnet’s infection chain typically begins with large-scale scanning for open ADB ports (TCP/5555), routed through residential proxy networks to obfuscate the origin of the probes and evade IP-based blocking. Upon identifying a vulnerable device, the malware is deployed via ADB shell commands, often leveraging default or absent authentication.

A notable aspect of Kimwolf’s propagation is the suspected pre-infection of devices at the supply chain level. Many affected endpoints appear to have been compromised before reaching end-users, likely through malicious SDKs such as Plainproxies Byteconnect, which are bundled with legitimate applications or firmware by unscrupulous vendors or third-party developers.

Once resident, the Kimwolf payload establishes persistence and opens a local listener on port 40860. It communicates with its C2 infrastructure, including the primary node at 85.234.91[.]247:1337 and a constellation of domains such as 14emeliaterracewestroxburyma02132[.]su, rtrdedge1.samsungcdn[.]cloud, and ENS blockchain domains like pawsatyou[.]eth. C2 communications are encrypted using Stack XOR and authenticated with elliptic curve digital signatures, with DNS over TLS employed to further obfuscate traffic.

The malware is modular, supporting a range of malicious activities. These include launching DDoS attacks (with over 1.7 billion DDoS commands observed in a three-day window), conducting credential stuffing against IMAP and web services, and forcibly installing additional proxy SDKs to monetize device bandwidth. The proxy component leverages 119 relay servers and is tightly integrated with commercial proxy providers, notably IPIDEA, which claims over 6.1 million daily rotating IPs.

Kimwolf’s codebase is under active development, with at least two major versions (v4 and v5) identified. The malware employs advanced evasion techniques, including rapid versioning, low detection rates on public antivirus platforms, and the use of blockchain-based C2 records (via EtherHiding and ENS) to ensure operational continuity.

Exploitation in the Wild

Since at least October 2025, Kimwolf has been observed in active exploitation campaigns targeting a global array of Android-based devices. The infection wave is particularly pronounced in countries with high adoption of unofficial or gray-market Android hardware, including Vietnam, Brazil, India, Saudi Arabia, and the United States. Synthient and QiAnXin XLab have documented up to 12 million unique IP addresses per week associated with the botnet, with over 1.8 million unique devices confirmed infected in a single campaign snapshot.

The botnet’s operators have demonstrated the ability to rapidly scale attacks, leveraging the compromised devices for DDoS campaigns that have set new records in terms of volume and geographic distribution. Credential stuffing attacks have targeted both consumer and enterprise services, exploiting the residential nature of the proxy network to bypass traditional security controls. The aggressive sale of proxy bandwidth, at rates as low as $0.20 per GB or $1,400 per month for unlimited access, has further incentivized the proliferation of the botnet.

Device types most commonly affected include generic TV boxes, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX (Android-based), SmartTV (generic Android), MX10, as well as Android tablets and IoT devices. The infection is not limited to any single vendor, reflecting the widespread use of vulnerable firmware and third-party SDKs in the Android ecosystem.

Victimology and Targeting

Kimwolf’s victimology is shaped by the global distribution of unofficial Android devices and the prevalence of insecure default configurations. The top affected countries are Brazil, India, the United States, Argentina, South Africa, the Philippines, Mexico, China, Thailand, Saudi Arabia, Indonesia, Morocco, Turkey, Iraq, and Pakistan. The campaign targets both consumers and organizations, with a particular focus on residential environments where device security is often lax and network monitoring is minimal.

The botnet’s operators have shown no evidence of nation-state targeting or political motivation; rather, their activities are driven by financial gain. The use of residential proxy networks enables the circumvention of enterprise security controls, making Kimwolf a potent threat to both individual users and organizations that rely on Android-based endpoints.

Mitigation and Countermeasures

Mitigating the Kimwolf threat requires a multi-layered approach. For proxy providers, it is critical to block requests to RFC 1918 (private) address ranges, thereby preventing lateral movement and local network exploitation. Organizations should audit their device inventories for endpoints running unauthenticated ADB shells, disabling ADB where not operationally necessary and enforcing strong authentication where it must remain enabled. Network monitoring should be configured to detect unusual outbound traffic to known Kimwolf C2 domains and proxy SDK endpoints.

End users are advised to avoid purchasing unofficial or gray-market Android devices, which are disproportionately represented among infected endpoints. Regularly reviewing installed applications and monitoring for anomalous network activity can help identify compromised devices. In cases of confirmed infection, a full device wipe or physical destruction may be necessary, as the malware’s persistence mechanisms and supply chain infection vectors complicate remediation.

All stakeholders should share threat intelligence and indicators of compromise (IOCs) with relevant partners to enhance collective detection and response capabilities. The following IOCs are associated with Kimwolf: C2 servers at 85.234.91[.]247:1337, 14emeliaterracewestroxburyma02132[.]su, rtrdedge1.samsungcdn[.]cloud, staging.pproxy1[.]fun, and ENS domain pawsatyou[.]eth; downloader IPs in the range 93.95.112.50-59; process names netd_services and tv_helper; and sample hashes including 18dcf61dad028b9e6f9e4aa664e7ff92, 3e1377869bd6e80e005b71b9e991c060, and others.

References

The following sources provide additional technical detail and context for the Kimwolf campaign:

• QiAnXin XLab: Kimwolf Exposed - The Massive Android Botnet with 1.8 Million Infected Devices

• The Hacker News: Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

• SecurityWeek: Kimwolf Android Botnet Grows Through Residential Proxy Networks

• SecurityAffairs: Kimwolf botnet leverages residential proxies to hijack 2M+ Android devices

• Synthient Analysis

• MITRE ATT&CK Techniques

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats, streamline vendor risk assessments, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.