The Kimwolf botnet threat is rapidly escalating, with new research revealing its surprising prevalence in government and corporate networks. This Internet-of-Things (IoT) botnet, dubbed Kimwolf, has already infected over 2 million devices, forcing compromised systems to participate in massive distributed denial-of-service (DDoS) attacks and relay other malicious internet traffic. Kimwolf’s ability to scan local networks for other IoT devices makes it a sobering threat to organizations.
Kimwolf’s rapid growth in late 2025 stemmed from exploiting “residential proxy” services, tricking them into relaying malicious commands to devices within the proxies’ local networks. These residential proxies, often bundled with mobile apps and games, anonymize web traffic but also force infected devices to relay malicious activities like ad fraud and account takeovers.
The botnet primarily targets proxies from IPIDEA, a Chinese service with millions of proxy endpoints. Kimwolf operators discovered they could forward malicious commands to IPIDEA proxy endpoints’ internal networks, allowing them to scan and infect other vulnerable devices on each endpoint’s local network.
Many systems compromised are unofficial Android TV streaming boxes, often marketed as a way to access pirated video content. These devices frequently come with residential proxy software pre-installed and lack robust security, making them easy targets for malware.
While IPIDEA and other proxy providers have reportedly taken steps to block Kimwolf, the malware persists on millions of infected devices.
Kimwolf Botnet Threat Spreads Globally
Despite its association with residential proxy networks and compromised Android TV boxes, the Kimwolf botnet threat extends to corporate networks. Infoblox, a security firm, found that nearly 25% of its customers queried a Kimwolf-related domain since October 1, 2025, suggesting at least one device was acting as an endpoint in a residential proxy service targeted by Kimwolf operators.
Infoblox observed affected customers across various industries, including education, healthcare, government, and finance.
“To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” Infoblox explained.
Government and Academic Institutions at Risk
Synthient, a proxy service tracking startup, discovered alarming numbers of IPIDEA proxy endpoints within government and academic institutions worldwide. They identified at least 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.
Potential Impact on Organizations
Spur, another proxy tracking service, profiled internet addresses associated with IPIDEA and other vulnerable proxy services. They found residential proxies in nearly 300 government-owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 companies in banking and finance.
Spur Co-Founder Riley Kilmer highlighted the potential risks, particularly the presence of IPIDEA and other proxy services within U.S. Department of Defense (DoD) networks. Even if infected devices are segregated, the potential for local access to the network remains a concern.
Kilmer emphasized how a single residential proxy infection can lead to broader organizational problems, providing attackers with a simple way to probe other devices on a local network.
“If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out of and then locally pivot,” Kilmer said.
The Kimwolf botnet threat underscores the need for organizations to strengthen their network security and address unsecured devices behind their firewalls. The Kimwolf botnet threat is likely to evolve, so staying informed about the Kimwolf botnet threat is vital.
Source: Krebs on Security




