A fast-spreading malware campaign dubbed Kimwolf has compromised more than two million internet-connected devices worldwide, quietly converting ordinary home internet connections into illegal proxy nodes for cybercriminal activity, security researchers have warned.
The botnet, detected in late 2025, has expanded at an alarming pace and is being used for a range of malicious operations, including online fraud, spam distribution, account takeover attempts and distributed denial-of-service (DDoS) attacks capable of knocking major websites offline for hours.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Primary Targets and Infection Methods
Investigations show that the campaign primarily targets low-cost Android TV boxes and digital photo frames, many of which are sold online with weak or unsafe security settings enabled by default. In several cases, malware was found to be pre-installed at the factory level, exposing users even before devices are switched on for the first time.
Proxy Service Exploitation Explained
Cybersecurity researcher Benjamin Brundage, who uncovered the network while analysing proxy abuse patterns in October 2025, said the botnet exploits a structural weakness in how large residential proxy services operate. According to his findings, attackers were able to bypass safeguards by manipulating DNS configurations, allowing them to tunnel into private home networks through infected proxy endpoints.
A key vulnerability lay in the way some proxy providers handled internal network access. Once attackers gained a foothold, they could reach devices inside home networks without triggering authentication barriers, dramatically widening the attack surface.
ADB Vulnerability and Infection Process
Security analysts say the problem is compounded by the widespread presence of Android Debug Bridge (ADB) mode being left enabled on unofficial or grey-market streaming devices. With ADB active, any attacker on the same network — or accessing it indirectly through a proxy — can take near-total control of the device using a single command.
The infection process is technically simple but highly effective. Attackers scan for exposed devices with ADB enabled, connect remotely, and instruct the system to download a malware payload from a controlled web address. A hard-coded passphrase unlocks the installation, after which the device becomes part of the Kimwolf network.
Device Distribution and Traffic Relaying
Data collected during the investigation suggests that nearly two-thirds of infected devices are Android TV boxes, with the rest spread across smart photo frames and a smaller number of mobile phones running hidden proxy applications. Once compromised, devices are forced to relay traffic for criminal operations, masking the true origin of attacks behind unsuspecting household internet connections.
Researchers also flagged the botnet’s unusual resilience. After an attempted disruption temporarily reduced infections to near zero, the network rebounded to roughly two million devices within days. This rapid recovery was achieved by cycling through vast pools of fresh residential proxy endpoints, allowing the malware to re-establish itself faster than defenders could respond.
The operators behind Kimwolf are believed to be monetising the infrastructure in multiple ways — renting proxy bandwidth, selling app-installation services that artificially boost download numbers, and offering DDoS-for-hire capabilities to other criminal groups.
Future Risks and Security Recommendations
Experts warn that the attack model is likely to spread. As residential proxy networks grow and inexpensive smart devices flood the market, attackers are increasingly targeting the intersection of weak hardware security and large-scale proxy access.
Security professionals are urging consumers to avoid uncertified streaming devices, disable unnecessary remote-debugging features, and keep all smart devices isolated on separate networks where possible. Regulators and proxy service providers, meanwhile, face mounting pressure to close architectural gaps that allow home connections to be weaponised without users’ knowledge.
Without coordinated action, researchers caution, millions more household devices could be silently absorbed into criminal infrastructure — turning everyday internet access into an invisible tool for global cybercrime.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
