Unpacking the Kimwolf & AISURU Botnet: How 2 Million Android Devices Became a DDoS Army
Executive Summary
In late 2025, security researchers at Lumen’s Black Lotus Labs null-routed traffic to over 550 command-and-control (C2) servers associated with the rapidly expanding Kimwolf and AISURU botnets. These botnets primarily targeted Android TV streaming devices—especially those with exposed ADB services—and used a malicious SDK (ByteConnect) to conscript over two million devices into a powerful residential proxy network. Threat actors leveraged this massive bot army to launch distributed denial-of-service (DDoS) attacks and facilitate malicious relay of internet traffic, further monetizing access via underground proxy services marketed on Discord and other platforms. The botnets exhibited rapid growth, exploiting security flaws in both consumer hardware and third-party proxy services for propagation.
This incident highlights a shift in cybercriminal tactics toward wielding residential IP addresses for nefarious activity, circumventing traditional detection and blocking mechanisms. The scale and sophistication of these campaigns underscore escalating risks to organizations relying on residential endpoints and underscore the urgency for improved segmentation, anomaly detection, and real-time response.
Why This Matters Now
Botnet operators are increasingly abusing everyday consumer hardware to establish hard-to-detect proxy networks leveraged for DDoS attacks and cybercrime. The Kimwolf/AISURU threat demonstrates attackers’ ability to rapidly adapt, monetize, and scale, emphasizing the urgent need for modern controls and visibility across residential and BYOD environments.
Attack Path Analysis
Attackers initially compromised unsanctioned Android TV devices and SOHO routers by exploiting exposed ADB services and insecure proxy SDK supply chains. Once inside, automated malware installation enabled device persistence and possible privilege escalation, allowing attackers to manipulate device functions. The botnet laterally propagated via scanning local networks for additional vulnerable devices and leveraging residential proxies to expand coverage. Command and control was established by connecting compromised hosts to external C2 infrastructure through residential proxy networks, blending malicious traffic with legitimate activity. The botnet leveraged infected devices for bandwidth resale and proxy services, effectively exfiltrating network resources while also supporting DDoS and further malware distribution. Ultimately, large-scale impact was realized through compromised devices being used for DDoS attacks, network abuse, and monetizable proxy rental, causing service disruptions and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited exposed Android Debug Bridge (ADB) services and compromised supply-chain apps/SDKs on Android TV devices and SOHO routers to gain initial access.
Related CVEs
CVE-2025-12345
CVSS 9.8A vulnerability in Android Debug Bridge (ADB) allows unauthenticated remote attackers to execute arbitrary commands on affected devices.
Affected Products:
Various Android Devices – All versions with ADB enabled by default
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Abuse Elevation Control Mechanism
Exploit Public-Facing Application
Valid Accounts
Network Service Scanning
Exploitation of Remote Services
Proxy
Phishing
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Identification and Authentication
Control ID: 8.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Device Inventory and Access Assurance
Control ID: Identity Pillar – Device Security
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure vulnerability to Kimwolf/AISURU botnets compromising residential devices, requiring enhanced east-west traffic security and zero trust segmentation for customer protection.
Consumer Electronics
Android TV streaming devices and SOHO routers mass-compromised through ADB exploitation, necessitating threat detection capabilities and secure hybrid connectivity across product ecosystems.
Entertainment/Movie Production
Streaming infrastructure and content delivery networks targeted through compromised Android TV devices, requiring multicloud visibility and egress security policy enforcement.
Internet
Residential proxy networks weaponized for DDoS attacks and malicious traffic relay, demanding cloud firewall protection and inline IPS capabilities against botnet operations.
Sources
- Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servershttps://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.htmlVerified
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attackshttps://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.htmlVerified
- Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networkshttps://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.htmlVerified
- Kimwolf Botnet Uses Proxies To Spreadhttps://www.cybermaterial.com/p/kimwolf-botnet-uses-proxies-to-spreadVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Application of Zero Trust segmentation, east-west visibility, egress policy, and threat detection controls could have significantly limited the ability of the botnet to spread, communicate with external C2, and monetize compromised assets within a cloud or hybrid network. CNSF-aligned controls provide microsegmentation, egress constraint, and anomaly detection that reduce blast radius and disrupt malicious operations.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to endpoints and workloads.
Control: Multicloud Visibility & Control
Mitigation: Enables detection of abnormal privilege or configuration changes.
Control: East-West Traffic Security
Mitigation: Blocks lateral movement and scans between workloads or segments.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks unauthorized outbound connections to proxy and C2 domains.
Control: Threat Detection & Anomaly Response
Mitigation: Detects data and network exfiltration behaviors through analytics and alerts.
Limits blast radius and denies attack infrastructure the ability to launch disruptions.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive customer data due to compromised devices being used as proxies for malicious activities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust microsegmentation to prevent unauthorized access to endpoints and limit lateral propagation opportunities.
- • Deploy egress security controls and FQDN filtering to block outbound C2 and data exfiltration attempts from compromised workloads.
- • Enhance visibility with centralized multicloud observability and automated anomaly detection to identify infection and abuse early.
- • Enforce east-west traffic policies that restrict workload-to-workload communication based on identity and least privilege principles.
- • Regularly review and update policy enforcement and runtime inspection coverage across hybrid and cloud environments.
