The Kimwolf botnet represents one of the most insidious IoT threats to emerge recently.
According to the latest analyses, this malicious infrastructure has already compromised over two million devices , exploiting them for distributed denial-of-service attacks and as intermediate nodes for abusive traffic. Its true strength, however, isn’t its sheer size, but its ability to infiltrate networks that were never conceived as fertile ground for an IoT botnet.
Kimwolf doesn’t just monitor isolated devices. Once it gains access, the malware actively scans the local network for other vulnerable systems. This behavior allows operators to spread the infection laterally, turning a single entry point into a potential problem for the entire network infrastructure.
The botnet’s growth accelerated throughout 2025 due to the abuse of residential proxy services . These platforms, designed to route traffic through home IP addresses in various geographic areas, were exploited to route commands to exposed IoT devices, bypassing traditional security controls.
Large providers, including services with millions of endpoints available weekly, were used as distribution channels. Through these proxies, Kimwolf was able to reach devices that would otherwise not be directly accessible from the internet.
The core of the Kimwolf infrastructure is largely composed of uncertified Android TV boxes , based on open-source versions of the operating system. These are inexpensive devices, often sold for access to pirated content, that arrive on the market without adequate security protections .
In many cases, these media players include pre-installed proxy software , exposed backdoors, or no authentication mechanisms. Once accessed, they can be easily compromised and turned into persistent botnet nodes, difficult to clean up or update.
Even after proxy providers introduced some countermeasures, millions of devices remain infected. The persistence of the threat is linked to the very nature of the hardware: poorly managed, rarely updated, and often abandoned.
Investigations conducted by Infoblox show that Kimwolf-related activity has been observed across a wide range of corporate and government networks . DNS queries to the botnet’s command and control domains originate from organizations in critical sectors such as healthcare, education, finance, and government.
Further technical analysis, attributed to experts at Spur.us , identified tens of thousands of IP addresses associated with vulnerable proxy services within universities, businesses, and government networks. In several cases, these proxies provide an entry point that allows attackers to observe or explore internal segments of compromised networks.
The emerging picture is of an IoT botnet that doesn’t just generate noise, but can also provide an initial foothold within complex organizations, significantly expanding the attack surface.
The research that brought this infrastructure and its implications to light was published by Krebs on Security , offering a detailed look at how a seemingly “domestic” threat can have much broader consequences.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
