Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kimwolf botnet expands through residential proxy abuse

Malware Activity
First reported
Last updated
Happening score
H score 65
2 unique sources, 5 articles

Summary

Hide ▲

The Kimwolf IoT botnet continues to expand through abuse of residential proxy services such as IPIDEA, which it uses to relay malicious traffic, scan local networks, and support DDoS attacks. Recent reporting shows the campaign became more visible across government, education, healthcare, finance, utilities, and defense-related networks worldwide, with activity observed since October 1, 2025 and a broader footprint than a narrow consumer-device problem. Google and partners have now taken coordinated action against IPIDEA, including court action on command domains and Google Play Protect enforcement on certified Android devices. The disruption reportedly reduced available proxy devices by millions and reflects the ongoing effort to curb the botnet’s reliance on abused proxy infrastructure.

Related Happenings

FBI seizure of NetNut proxy domains

Law Enforcement
H score33 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...

FBI seizes NetNut and Popa botnet domains

Law Enforcement
H score34 First: 02.07.2026 22:27 Last: 02.07.2026 22:27 Sources 1

About this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...

AryStinger legacy-router reconnaissance and proxy network

Malware Activity
H score61 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...

AryStinger botnet turns outdated routers into proxy executors

Malware Activity
H score60 First: 21.06.2026 17:14 Last: 21.06.2026 17:14 Sources 1

About this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Timeline

  1. 29.01.2026 19:15 1 articles · 5mo ago

    Google disrupts IPIDEA proxy network used by Kimwolf

    Legal Policy Action Update

    Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.

    Show sources
  2. 20.01.2026 20:19 1 articles · 5mo ago

    Kimwolf footprint widens across government and corporate networks

    Campaign Scope Update

    Infoblox found nearly 25% of customers had at least one device that queried a Kimwolf-related domain since October 1, 2025, indicating that a proxy endpoint inside the customer environment had been targeted by Kimwolf operators. Synthient said IPIDEA proxy endpoints were present at universities, colleges, and U.S. and foreign government networks, while Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 banking and finance companies.

    Show sources
  3. 09.01.2026 01:23 2 articles · 6mo ago

    Kimwolf links extend to Aisuru and Resi Rack proxy infrastructure

    Attribution Update

    XLab tied Kimwolf and Aisuru to the same authors and operators after witnessing both botnet strains distributed from 93.95.112[.]59 on December 8, and Synthient tracked at least seven static Resi Rack IP addresses supporting Kimwolf proxy infrastructure between October and December 2025.

    Show sources
  4. 02.01.2026 16:20 2 articles · 6mo ago

    Kimwolf botnet expands through residential proxy abuse

    Initial Disclosure

    Kimwolf first surfaced as a fast-growing **Android-based botnet** that could use proxy endpoints to reach into local home networks. Early infections concentrated on insecure consumer devices that were easy to repurpose as proxy nodes.

    Show sources