Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware Activity
Summary
Hide ▲
Show ▼
The Kimwolf Android botnet continued to evolve as a proxy-relay and DDoS operation built on more than 2 million infected devices, with abuse of exposed ADB services and residential proxy networks. New reporting says the US Justice Department arrested Canadian man Jacob Butler in Canada for allegedly operating the botnet, charging him with aiding and abetting computer intrusion and seeking extradition. The botnet has been tied to record-breaking DDoS activity, including attacks around 31.4 Tbps, and the broader law-enforcement response has also disrupted related DDoS-for-hire infrastructure.
Related Happenings
FBI seizure of NetNut proxy domains
Law Enforcement
H score33
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...
FBI seizure of NetNut proxy domains
Law EnforcementAbout this happening: The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...
FBI seizes NetNut and Popa botnet domains
Law Enforcement
H score34
First: 02.07.2026 22:27
Last: 02.07.2026 22:27
Sources 1
About this happening:
The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
FBI seizes NetNut and Popa botnet domains
Law EnforcementAbout this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
RustDuck DDoS botnet activity targeting routers and servers
Malware Activity
H score27
First: 30.06.2026 20:45
Last: 30.06.2026 20:45
Sources 1
About this happening:
The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
RustDuck DDoS botnet activity targeting routers and servers
Malware ActivityAbout this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
H score24
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Timeline
-
20.03.2026 08:25 2 articles · 3mo ago
DoJ disrupts Kimwolf C2 infrastructure
Legal Policy Action UpdateThe U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.
Show sources
- DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks — thehackernews.com — 20.03.2026 08:25
- Canadian Man Arrested for Operating Kimwolf Botnet — www.securityweek.com — 22.05.2026 15:11
-
14.01.2026 21:03 1 articles · 5mo ago
Black Lotus Labs reports null-routing of more than 550 AISURU/Kimwolf C2 nodes
Technical Analysis UpdateBlack Lotus Labs said it null-routed traffic to more than 550 AISURU/Kimwolf C2 nodes and linked the botnet infrastructure to residential proxy abuse, exposed ADB propagation, and vulnerable proxy-service scanning. The report also described a 300% surge in new Kimwolf bots in early October 2025 and scanning of PYPROXY and other services between October 20, 2025, and November 6, 2025.
Show sources
- Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers — thehackernews.com — 14.01.2026 21:03
-
05.01.2026 18:41 2 articles · 6mo ago
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Initial DisclosureKimwolf first emerged as an Android botnet tied to **AISURU** and began spreading through **exposed ADB** services. Early operations focused on turning infected devices into a **residential proxy** and **DDoS** relay network.
Show sources
- Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks — thehackernews.com — 05.01.2026 18:41
- Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks — thehackernews.com — 05.01.2026 18:41