The Black Lotus Labs team at Lumen Technologies has reported that they null-routed traffic to over 550 command-and-control (C2) nodes tied to the AISURU/Kimwolf botnet since early October 2025. The AISURU and Kimwolf botnets have become significant threats due to their ability to orchestrate distributed denial-of-service (DDoS) attacks and transmit malicious traffic through compromised devices.
The Kimwolf malware first came into the spotlight in late 2025 following a comprehensive analysis by QiAnXin XLab, which revealed that it targets mainly poorly secured Android TV streaming devices. By installing a software development kit (SDK) called ByteConnect via untrustworthy applications, the malware turns these devices into residential proxies.
This botnet has reportedly infected over 2 million Android devices that expose an Android Debug Bridge (ADB) service. The malware accesses these devices through residential proxy networks, leading to a substantial increase in compromised Android TV boxes. A report from Synthient indicated that Kimwolf actors were trying to resell proxy bandwidth for profit.
Black Lotus Labs identified a pattern of residential server connections originating from Canadian IP addresses, enabling SSH access to the backend of AISURU at a specified IP address. It’s notable that a second-level domain associated with the botnet even surpassed Google in popularity according to Cloudflare’s top domains list.
In October 2025, they also pinpointed another C2 domain that directed traffic to an IP linked to a Utah-based hosting provider known for its premium game server solutions, further uncovering illegal proxy service sales conducted through digital platforms like Discord.
Black Lotus Labs reported a staggering increase in Kimwolf bots, with a 300% spike in new additions recorded in early October. This surge, amounting to 800,000 active bots by mid-month, was connected to a residential proxy service where the majority of these bots were available for sale.
The botnet’s architecture was later found to be scanning for vulnerable devices in order to propagate. This scanning process can exploit security flaws in numerous proxy services, allowing attackers to easily infiltrate these networks. The end result converts compromised devices into residential proxy nodes for malicious activities, with their IP addresses being leveraged for unlawful purposes.
This incident reflects an evolving trend where consumer devices are increasingly utilized as tools for extensive cyberattacks while blending into normal internet traffic, thereby evading detection. The use of compromised routers as residential proxy nodes demonstrates the sophistication of contemporary cybercriminal operations, further highlighting the crucial need for better security measures across devices used in residential settings.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.