2M Devices at Risk as Kimwolf Botnet Abuses Proxy Networks

A fast-growing botnet called Kimwolf is abusing residential proxy networks to turn everyday consumer devices into gateways for large-scale cyberattacks on local networks. 

Researchers estimate the botnet has already infected more than two million devices worldwide, enabling DDoS attacks, ad fraud, account takeover attempts, and mass content scraping.

“It is possible to circumvent existing domain restrictions by using DNS records that point to 192.168.0.1 or 0.0.0.0,” said security researcher Benjamin Brundage.

He added, “This grants an attacker the ability to send carefully crafted requests to the current device or a device on the local network.”

“Kimwolf is a clear example of how lateral movement inside residential proxy software can turn a single exposed device into a launch point for much broader compromise,” said Riley Kilmer, co-founder of Spur.

She added, “When attackers move beyond accessing just localhost and begin probing the broader local network, they gain a foothold in millions of networks where residential proxies are already present.”

How Kimwolf Spreads Through Proxy Networks

Kimwolf’s spread hinges on two compounding technical failures. 

The first involves residential proxy services, which allow customers to route traffic through consumer devices to appear geographically local. 

While most providers attempt to block access to private IP ranges defined in RFC 1918, Kimwolf operators discovered they could bypass these controls by manipulating DNS records to resolve to internal addresses such as 192[.]168[.]0[.]1 or 0[.]0[.]0[.]0.

Once attackers gain internal network access, the second weakness comes into play: Android Debug Bridge (ADB). 

Many unsanctioned Android TV boxes and similar devices ship with ADB enabled by default. 

ADB listens on port 5555 and accepts unauthenticated connections, allowing attackers to gain administrative control with a single command. 

From there, Kimwolf can spread laterally, installing malware across multiple devices simultaneously.

Notably, researchers found a tight correlation between Kimwolf infections and IP addresses leased through IPIDEA, one of the world’s largest residential proxy providers. 

Although IPIDEA says it patched the issue, researchers observed Kimwolf rapidly rebuilding from near zero to millions of infections by continuing to exploit proxy infrastructure.

Limiting Lateral Movement in Trusted Networks

Threats like the Kimwolf botnet show how easily attackers can abuse consumer-grade devices and trusted network paths to bypass traditional security controls.

By combining device hygiene, network segmentation, and improved visibility, organizations can reduce the risk of proxy abuse and lateral compromise.

• Eliminate high-risk devices from trusted networks by avoiding no-name connected hardware and restricting unmanaged or consumer-grade devices from corporate access. 
• Segment and control network access using VLANs, guest networks, or zero-trust controls to prevent lateral movement from edge and IoT devices. 
• Block residential proxy and abuse-related traffic by identifying known proxy services, restricting high-risk egress destinations, and monitoring for proxy-like behavior. 
• Reduce exposed services and attack surface internally by disabling unnecessary management interfaces, blocking debug ports such as ADB, and hardening device configurations. 
• Strengthen network and DNS security by keeping routers and firmware updated, enforcing secure DNS settings, and preventing unauthorized configuration changes. 
• Improve visibility and preparedness through continuous asset discovery, anomaly detection, user education, and the ability to rapidly isolate suspicious devices.

Together, these measures help organizations assume compromise and limit the blast radius. 

Attackers Are Shifting Inside the Perimeter

Kimwolf reflects a broader shift in attacker strategy away from directly breaching hardened enterprise perimeters and toward abusing trusted infrastructure and consumer-grade devices that sit just outside traditional security controls. 

Similar patterns have emerged in other botnets such as BADBOX and earlier residential proxy services like 911S5, which enabled large-scale fraud and internal network access before ultimately being dismantled by law enforcement and industry action.

As networks become more decentralized, hybrid, and reliant on unmanaged endpoints, the line between “internal” and “external” threats continues to blur. 

Botnets like Kimwolf show how attackers can weaponize convenience, low-cost hardware, and implicit trust in local networks to bypass defenses that were never designed for environments where the weakest link may already be inside the perimeter.

As attacks increasingly originate from trusted devices and networks rather than the open internet, security models built on implicit trust are breaking down — making zero-trust architectures a practical necessity.