Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kimwolf botnet expands through residential proxy abuse

Malware Activity
First reported
Last updated
Happening score
H score 36
2 unique sources, 5 articles

Summary

Hide ▲

The Kimwolf IoT botnet continues to expand through abuse of residential proxy services such as IPIDEA, which it uses to relay malicious traffic, scan local networks, and support DDoS attacks. Recent reporting shows the campaign became more visible across government, education, healthcare, finance, utilities, and defense-related networks worldwide, with activity observed since October 1, 2025 and a broader footprint than a narrow consumer-device problem. Google and partners have now taken coordinated action against IPIDEA, including court action on command domains and Google Play Protect enforcement on certified Android devices. The disruption reportedly reduced available proxy devices by millions and reflects the ongoing effort to curb the botnet’s reliance on abused proxy infrastructure.

Related Happenings

Kimwolf operators build a cybercrime-as-a-service DDoS access market

Threat Actor Meta
First: 22.05.2026 11:50 Last: 22.05.2026 11:50 Sources 1

About this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...

Open Happening

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Open Happening

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Open Happening

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Timeline

  1. 29.01.2026 19:15 1 articles · 3mo ago

    Google disrupts IPIDEA proxy network used by Kimwolf

    Legal Policy Action Update

    Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.

    Show sources
    Open in new tab
  2. 20.01.2026 20:19 1 articles · 4mo ago

    Kimwolf footprint widens across government and corporate networks

    Campaign Scope Update

    Infoblox found nearly 25% of customers had at least one device that queried a Kimwolf-related domain since October 1, 2025, indicating that a proxy endpoint inside the customer environment had been targeted by Kimwolf operators. Synthient said IPIDEA proxy endpoints were present at universities, colleges, and U.S. and foreign government networks, while Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 banking and finance companies.

    Show sources
    Open in new tab
  3. 09.01.2026 01:23 2 articles · 4mo ago

    Kimwolf links extend to Aisuru and Resi Rack proxy infrastructure

    Attribution Update

    XLab tied Kimwolf and Aisuru to the same authors and operators after witnessing both botnet strains distributed from 93.95.112[.]59 on December 8, and Synthient tracked at least seven static Resi Rack IP addresses supporting Kimwolf proxy infrastructure between October and December 2025.

    Show sources
    Open in new tab
  4. 02.01.2026 16:20 2 articles · 4mo ago

    Kimwolf botnet expands through residential proxy abuse

    Initial Disclosure

    Kimwolf first surfaced as a fast-growing **Android-based botnet** that could use proxy endpoints to reach into local home networks. Early infections concentrated on insecure consumer devices that were easy to repurpose as proxy nodes.

    Show sources
    Open in new tab