A new bad actor has joined the cybersecurity world. According to security researchers, the Kimwolf botnet has already infected more than 2 million Android devices across the globe. The botnet specifically targets devices that expose unprotected Android Debug Bridge (ADB) services to exploitation. Given its operations, it primarily relies on residential proxy networks to execute its infringement. In July, QiAnXin XLab reported the discovery of Kimwolf for the first time. This new Android version of the first AISURU botnet previously reported is one example of a concerning progression in mobile malware.
Active at least since August 2025, Kimwolf’s main efforts have largely focused on areas including Vietnam, Brazil, India, and Saudi Arabia. According to Synthient, a New York City-based cybersecurity company, it’s found that the botnet uses a scanning infrastructure. This exotic attack method is able to install malware by exploiting outdated ADB services often left unauthenticated.
Mechanism of Infection
To infect devices, the Kimwolf botnet uses a new technique — tunneling through residential proxy networks. Upon having that initial connection made, it would reach out to the IP 85.234.91[.]247 over port 1337. This prepares it to accept additional commands. The remote main payload listens for commands on TCP port 40860, providing the botnet with a new and unusual vector with which to launch its misdeeds.
During the last Kimwolf campaign, Synthient measured around 12 million unique IP addresses per week that would be considered today’s targets of Kimwolf’s scanning campaigns. Even better news is that the vast majority of these infected devices have ADB enabled by default, with at least 67% of them being unauthenticated. This unique set of circumstances has created a perfect storm of exposure for millions of devices, greatly increasing their chances of being attacked or exploited.
“The scale of this vulnerability was unprecedented, exposing millions of devices to attacks,” – Synthient
Monetization Strategies
The operators responsible for Kimwolf are not just happy to disrupt and sow chaos, these bad actors are intentionally driven to make money off their activities. Those actors controlling the botnet are currently profiting in three ways. They use them to install apps, sell residential proxy bandwidth, and to rent out DDoS functionality.
Additionally, Kimwolf gives an aggressive push on marketing its residential proxies, disclosing monetization strategy. As low as $0.20 per GB in prices or unlimited bandwidth for $1,400 dollars a month. This pricing structure spurred early proxy adoption by multiple providers, deepening the botnet’s scope.
“Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality,” – Synthient
Recent Developments and Security Measures
To counter this alarming threat of Kimwolf, China-based IPIDEA put a fix on December 27th. This patch in turn prevents access to local network devices. Additionally, it cuts off armory of sensitive ports, caging the botnet’s function. As Kimwolf keeps developing at breakneck speed, defenders are always on guard.
Last year, Kimwolf introduced a campaign of record-breaking DDoS attacks. These attacks demonstrated its potential power to wreak havoc on a greater scale. The cybersecurity specialists at ONDD are closely watching this evolving situation. To protect against remote exploitation, users need to make sure their devices are not vulnerable by turning off ADB in developer options and using strong authentication methods.