Kimwolf IoT Botnet Uses Android TV Boxes And Residential Proxies To Jump To More Devices

by Justin Erickson

Researchers are tracking a fast growing IoT botnet known as Kimwolf, which has infected more than 2 million mainly unofficial Android TV devices and is now visible inside corporate and government networks. Kimwolf emerged in 2025 as an offshoot of the Aisuru DDoS botnet and became well known after it briefly topped Cloudflare’s global domain rankings. Kimwolf operators abuse residential proxy services so that they can relay commands to devices on the local networks behind those proxies. Many of the compromised systems are unofficial Android TV streaming boxes that ship with no real security or authentication – and residential proxy software already installed. Once active, Kimwolf can launch large DDoS attacks and relay other malicious traffic. Infoblox reports that nearly 25 percent of their cloud customers “…made a query to a Kimwolf domain since October 1st”. This activity indicates that “…25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators… A query means a scan was made, not that new devices were compromised”.