Kimwolf Botnet Hacked 2 Million Devices and Turned Users’ Internet Connections into Proxy Nodes

A powerful new botnet called Kimwolf has infected more than two million devices worldwide, hijacking them to launch DDoS attacks, commit ad fraud, and secretly sell their bandwidth through residential proxy networks.

Security firm Synthient, which discovered the scale of the infection, says most compromised systems are Android TV boxes and digital photo frames sold by third-party merchants on platforms like Amazon, Walmart, and Newegg.

Synthient’s founder, Benjamin Brundage, revealed that Kimwolf spreads through a combination of pre-installed malware and a vulnerability in several residential proxy services.

These proxy networks are often marketed as legal tools for web scraping or anonymized browsing. However, many rely on unsafe devices or apps that silently convert users’ connections into proxy nodes rented out to others.

Brundage explained that Kimwolf attackers abused weak proxy configurations by altering DNS records to point to local IP addresses defined in [RFC 1918]. This trick allowed them to “tunnel” into private home networks hidden behind routers and firewalls, an area once thought safe.

Once inside, Kimwolf scanned for devices with Android Debug Bridge (ADB) enabled, which enabled unauthenticated root access for installing additional malware.

Exploiting Proxy Networks and Unsafe Devices

Synthient’s investigation linked most infections to IPIDEA, one of the world’s largest proxy providers, with over 100 million advertised endpoints. Researchers found that Kimwolf had leveraged IPIDEA’s network to rebuild itself even after takedowns.

Two-thirds of the affected IPIDEA proxies were unsecured Android devices, primarily those running unofficial firmware.

After being notified by Synthient in December 2025, IPIDEA confirmed a “legacy testing module” had allowed unintended access to local networks. The company said it has since blocked the unsafe paths and restricted DNS resolution for internal IP ranges.

Researchers also found that infected Android TV boxes shipped from manufacturers with ADB mode turned on by default, effectively leaving them open to remote control. Devices such as the Superbox series and low-cost streaming hardware variants were among the most exploited.

Security firm XLab later confirmed Kimwolf’s global reach, showing infection clusters in India, Brazil, the United States, and Russia. The botnet can quickly reassemble after disruptions, aided by constantly changing IP addresses within residential networks.

Experts warn users to avoid cheap, no-name Android TV boxes and unverified app stores. Legitimate manufacturers disable debug features and provide security updates that counterfeit devices lack.

Synthient has launched an online checker at synthient.com/check that lets users check whether their IP addresses were recorded on Kimwolf-infected systems. Those with affected hardware are urged to disconnect and replace the devices immediately.

Krebsonsecurity Cybersecurity researchers agree: Kimwolf’s rise proves that home networks are no longer safe by default, and exposing insecure IoT devices can turn any user’s connection into a cybercriminal’s tool.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Kimwolf Botnet Hacked 2 Million Devices and Turned Users’ Internet Connections into Proxy Nodes appeared first on Cyber Security News.