Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

Malware Activity
First reported
Last updated
Happening score
H score 57
2 unique sources, 4 articles

Summary

Hide ▲

The Kimwolf Android botnet continued to evolve as a proxy-relay and DDoS operation built on more than 2 million infected devices, with abuse of exposed ADB services and residential proxy networks. New reporting says the US Justice Department arrested Canadian man Jacob Butler in Canada for allegedly operating the botnet, charging him with aiding and abetting computer intrusion and seeking extradition. The botnet has been tied to record-breaking DDoS activity, including attacks around 31.4 Tbps, and the broader law-enforcement response has also disrupted related DDoS-for-hire infrastructure.

Related Happenings

FBI seizure of NetNut proxy domains

Law Enforcement
H score33 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: The **FBI** seized **NetNut** domains in a law-enforcement takedown of proxy infrastructure abused for **cybercrime**, disrupting a network that routed malicious traffic through r...

FBI seizes NetNut and Popa botnet domains

Law Enforcement
H score34 First: 02.07.2026 22:27 Last: 02.07.2026 22:27 Sources 1

About this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...

RustDuck DDoS botnet activity targeting routers and servers

Malware Activity
H score27 First: 30.06.2026 20:45 Last: 30.06.2026 20:45 Sources 1

About this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Kimwolf operators build a cybercrime-as-a-service DDoS access market

Threat Actor Meta
H score24 First: 22.05.2026 11:50 Last: 22.05.2026 11:50 Sources 1

About this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...

Timeline

  1. 20.03.2026 08:25 2 articles · 3mo ago

    DoJ disrupts Kimwolf C2 infrastructure

    Legal Policy Action Update

    The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.

    Show sources
  2. 14.01.2026 21:03 1 articles · 5mo ago

    Black Lotus Labs reports null-routing of more than 550 AISURU/Kimwolf C2 nodes

    Technical Analysis Update

    Black Lotus Labs said it null-routed traffic to more than 550 AISURU/Kimwolf C2 nodes and linked the botnet infrastructure to residential proxy abuse, exposed ADB propagation, and vulnerable proxy-service scanning. The report also described a 300% surge in new Kimwolf bots in early October 2025 and scanning of PYPROXY and other services between October 20, 2025, and November 6, 2025.

    Show sources
  3. 05.01.2026 18:41 2 articles · 6mo ago

    Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

    Initial Disclosure

    Kimwolf first emerged as an Android botnet tied to **AISURU** and began spreading through **exposed ADB** services. Early operations focused on turning infected devices into a **residential proxy** and **DDoS** relay network.

    Show sources