Kimwolf is a large-scale Android botnet active since at least August 2025, with over 2 million infected devices worldwide. It primarily compromises Android devices that have the Android Debug Bridge (ADB) service exposed without authentication, a condition present in approximately 67% of infected devices. The botnet leverages residential proxy networks by exploiting SDKs embedded in devices, often pre-installed by proxy providers, to tunnel malicious payloads and commands. The main payload listens on port 40860 and connects to a command-and-control server to receive instructions, enabling the botnet to orchestrate distributed denial-of-service (DDoS) attacks, app installs for monetization, and the sale of proxy bandwidth. The botnet has been linked to record-setting DDoS attacks and credential stuffing campaigns targeting IMAP servers and popular websites. The infection is concentrated mainly in Vietnam, Brazil, India, and Saudi Arabia, but the use of proxy networks means infections can spread globally. Proxy providers like China-based IPIDEA have been exploited to facilitate the botnet's propagation until recent security patches were applied. The botnet also uses the Plainproxies Byteconnect SDK, which manages proxy tasks via 119 relay servers, indicating a sophisticated monetization ecosystem. The threat actors aggressively market residential proxies at low prices, increasing adoption and expanding the botnet's reach. The exploitation of exposed ADB services on unofficial Android devices such as smart TVs and set-top boxes highlights a significant attack surface. The botnet's ability to monetize bandwidth and proxy services, combined with its use in large-scale DDoS and credential stuffing attacks, makes it a multifaceted threat. Synthient recommends proxy providers block requests to private IP ranges (RFC 1918) and organizations secure devices with exposed ADB to prevent unauthorized access and infection.

For European organizations, the Kimwolf botnet poses several risks. First, infected Android devices within corporate or home networks can be co-opted as proxies or DDoS participants, potentially implicating organizations in malicious traffic or degrading network performance. The use of residential proxies complicates attribution and defense, as malicious traffic appears to originate from legitimate residential IPs. Organizations relying on Android-based smart TVs, set-top boxes, or IoT devices with exposed ADB services are particularly vulnerable to compromise. The botnet's credential stuffing campaigns threaten user accounts and services, increasing the risk of data breaches and unauthorized access. Monetization through app installs and proxy bandwidth sales indicates ongoing financial incentives for attackers, suggesting sustained or growing activity. The botnet's scale and ability to conduct record-setting DDoS attacks could disrupt critical services, including those supporting European businesses and infrastructure. Additionally, the exploitation of proxy providers and SDKs embedded in devices complicates mitigation efforts, requiring coordinated responses. Overall, the botnet undermines device integrity, network availability, and confidentiality of user credentials, posing a medium to high operational and reputational risk to European entities.

European organizations should immediately audit and secure all Android devices, particularly unofficial smart TVs, set-top boxes, and IoT devices, ensuring that ADB services are disabled or require strong authentication. Network administrators should implement strict network segmentation to isolate IoT and Android devices from critical infrastructure and sensitive data. Proxy providers operating in or serving European networks must block requests to RFC 1918 private IP ranges and restrict proxy software from accessing local network devices and sensitive ports. Continuous monitoring of outbound traffic for unusual proxy or tunneling activity, especially on port 40860, should be established to detect potential infections. Organizations should collaborate with device manufacturers and proxy providers to identify and remove pre-installed malicious SDKs. Implementing multi-factor authentication and monitoring for credential stuffing attempts on corporate services can reduce the impact of compromised credentials. Incident response plans should include procedures for identifying and isolating infected devices. Finally, awareness campaigns for users about the risks of exposed ADB and insecure IoT devices can reduce infection vectors.