Full Report
The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient. "Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality," the company said in an analysis published last week. Kimwolf
Analysis Summary
# Tool/Technique: Kimwolf Botnet
## Overview
Kimwolf is an active botnet predominantly targeting Android devices, which has infected over 2 million devices to date. Its primary purpose is to monetize compromised systems through various means, including selling residential proxy bandwidth, facilitating app installs, and offering DDoS attack capabilities. It is considered an Android variant related to the AISURU botnet.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Android devices (including unofficial smart TVs and set-top boxes)
- Capabilities: DDoS orchestration, residential proxy bandwidth monetization, app install fraud, credential stuffing.
- First Seen: Active since at least August 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are derived from observed behavior (DDoS, networking, initial access via exposed services).*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Leveraging infected devices as proxies)
- **TA0002 - Execution**
- T1204 - User Execution
- **TA0003 - Persistence** (Implied by botnet functionality)
- **TA0010 - Exfiltration** (Implied by credential stuffing activities)
## Functionality
### Core Capabilities
- **Mass Infection:** Exploits weak security posture, specifically targeting Android devices with exposed and unauthenticated Android Debug Bridge (ADB) services.
- **Proxy Tunneling:** Turns infected devices into residential proxies, tunneling traffic through the victim's network infrastructure.
- **Monetization:** Sells access to the compromised residential IPs, often leveraged through SDKs like Plainproxies Byteconnect.
- **DDoS Orchestration:** Converts the botnet into a platform for launching large-scale Distributed Denial of Service attacks.
### Advanced Features
- **Proxy Infrastructure Integration:** Leverages existing residential proxy networks (e.g., IPIDEA) to drop and propagate the malware by tunneling through user local networks.
- **Secondary SDK Infection:** Injects bandwidth monetization SDKs (e.g., Byteconnect SDK) onto infected devices, suggesting a deep integration or partnership with commercial proxy providers.
- **Credential Stuffing:** Utilizes compromised devices to target accounts on IMAP servers and popular websites.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Plainproxies Byteconnect SDK]
- Registry Keys: [Not applicable to Android primary focus, but may use specific Android permissions/files]
- Network Indicators:
- Main Payload Listening Port: `40860`
- C2/Command Port: `85.234.91[defanged]247:1337`
- Relay Servers (Proxy Tasks): 119 relay servers detected.
- Behavioral Indicators:
- Devices found with unsecured, unauthenticated ADB enabled (67% of observed targets).
- Outbound connections facilitating proxy relaying traffic.
- Activity correlated with IP IDEA proxy infrastructure connections before patching.
## Associated Threat Actors
- Key actors involved in the Kimwolf botnet (Specific group name not provided, but linked to malware families like AISURU).
- Entities associated with commercial proxy providers (evidenced by integration with IPIDEA and Byteconnect SDK).
## Detection Methods
- **Signature-based detection:** Detecting the known main payload port (`40860`) or known C2 addresses.
- **Behavioral detection:** Monitoring for excessive outbound traffic patterns indicative of proxy relaying or credential stuffing originating from Android devices.
- **Network Filtering:** Detecting attempts to access sensitive local network addresses (`RFC 1918` addresses) from external/untrusted sources, which proxy providers utilize during tunneling.
## Mitigation Strategies
- **Device Hardening:** Immediately lock down or disable exposed Android Debug Bridge (ADB) shells, especially ensuring they are not left unauthenticated.
- **Network Configuration:** Organizations (especially proxy providers) should implement filtering to block requests targeting RFC 1918 private IP address ranges from reaching internal hosts via relay/proxy connections.
- **Device Security:** Ensure Android devices, especially smart TVs and set-top boxes, are running patched software to prevent pre-infection via compromised SDKs.
## Related Tools/Techniques
- AISURU: Kimwolf is identified as an Android variant of the AISURU botnet.
- IPIDEA: Commercial residential proxy provider whose infrastructure was leveraged for distribution.
- Plainproxies Byteconnect SDK: A monetization service SDK leveraged by the botnet operators.