Overview
- Black Lotus Labs at Lumen says it has null-routed or blocked traffic to more than 550 command-and-control nodes since early October 2025.
- Researchers attribute over 2 million infected unofficial Android TV devices to Kimwolf after operators leveraged proxy networks to reach ADB-exposed boxes.
- Analysts observed a 300% surge in new bots over a week in early October tied to residential proxy listings, followed by scans of services like PYPROXY to find more vulnerable devices.
- Investigations link the operation to monetization through residential-proxy marketplaces and Discord communities, with infrastructure touching providers such as Resi Rack LLC.
- DDoS activity typically occurs in short bursts that often hit gaming servers, and researchers warn the botnet’s agile infrastructure leaves significant residual risk despite ongoing disruptions.