Kimwolf botnet expands through residential proxy abuse
Malware Activity
Summary
Hide ▲
Show ▼
The Kimwolf IoT botnet continues to expand through abuse of residential proxy services such as IPIDEA, which it uses to relay malicious traffic, scan local networks, and support DDoS attacks. Recent reporting shows the campaign became more visible across government, education, healthcare, finance, utilities, and defense-related networks worldwide, with activity observed since October 1, 2025 and a broader footprint than a narrow consumer-device problem. Google and partners have now taken coordinated action against IPIDEA, including court action on command domains and Google Play Protect enforcement on certified Android devices. The disruption reportedly reduced available proxy devices by millions and reflects the ongoing effort to curb the botnet’s reliance on abused proxy infrastructure.
Related Happenings
FBI seizure of NetNut proxy domains
Law Enforcement
H score33
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...
FBI seizure of NetNut proxy domains
Law EnforcementAbout this happening: The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...
FBI seizes NetNut and Popa botnet domains
Law Enforcement
H score34
First: 02.07.2026 22:27
Last: 02.07.2026 22:27
Sources 1
About this happening:
The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
FBI seizes NetNut and Popa botnet domains
Law EnforcementAbout this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
AryStinger legacy-router reconnaissance and proxy network
Malware Activity
H score61
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router reconnaissance and proxy network
Malware ActivityAbout this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Timeline
-
29.01.2026 19:15 1 articles · 5mo ago
Google disrupts IPIDEA proxy network used by Kimwolf
Legal Policy Action UpdateGoogle Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.
Show sources
- Google Disrupts Extensive Residential Proxy Networks — www.infosecurity-magazine.com — 29.01.2026 19:15
-
20.01.2026 20:19 1 articles · 5mo ago
Kimwolf footprint widens across government and corporate networks
Campaign Scope UpdateInfoblox found nearly 25% of customers had at least one device that queried a Kimwolf-related domain since October 1, 2025, indicating that a proxy endpoint inside the customer environment had been targeted by Kimwolf operators. Synthient said IPIDEA proxy endpoints were present at universities, colleges, and U.S. and foreign government networks, while Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 banking and finance companies.
Show sources
- Kimwolf Botnet Lurking in Corporate, Govt. Networks — krebsonsecurity.com — 20.01.2026 20:19
-
09.01.2026 01:23 2 articles · 6mo ago
Kimwolf links extend to Aisuru and Resi Rack proxy infrastructure
Attribution UpdateXLab tied Kimwolf and Aisuru to the same authors and operators after witnessing both botnet strains distributed from 93.95.112[.]59 on December 8, and Synthient tracked at least seven static Resi Rack IP addresses supporting Kimwolf proxy infrastructure between October and December 2025.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
- Who is the Kimwolf Botmaster “Dort”? — krebsonsecurity.com — 28.02.2026 14:01
-
02.01.2026 16:20 2 articles · 6mo ago
Kimwolf botnet expands through residential proxy abuse
Initial DisclosureKimwolf first surfaced as a fast-growing **Android-based botnet** that could use proxy endpoints to reach into local home networks. Early infections concentrated on insecure consumer devices that were easy to repurpose as proxy nodes.
Show sources
- The Kimwolf Botnet is Stalking Your Local Network — krebsonsecurity.com — 02.01.2026 16:20
- The Kimwolf Botnet is Stalking Your Local Network — krebsonsecurity.com — 02.01.2026 16:20