The AISURU/Kimwolf botnet represents a sophisticated and large-scale threat primarily targeting Android devices, with a focus on Android TV streaming boxes that have exposed Android Debug Bridge (ADB) services. The malware leverages a software development kit (SDK) called ByteConnect, which is either delivered directly or via pre-installed sketchy apps on these devices. This enables the botnet to enslave over 2 million devices, turning them into residential proxy nodes. These nodes are then used to relay malicious traffic, conduct distributed denial-of-service (DDoS) attacks, and provide proxy bandwidth for sale on underground markets. The botnet’s command-and-control (C2) infrastructure is extensive, with over 550 C2 servers null-routed by Black Lotus Labs since October 2025 to disrupt operations. The botnet exploits security flaws in proxy services like PYPROXY to scan and infect devices on internal networks, further expanding its reach. It also compromises SOHO routers running KeeneticOS firmware across Russian ISPs, which act as additional residential proxy nodes. These residential proxies are particularly dangerous because their IP addresses have legitimate residential reputations, allowing malicious traffic to evade detection by security systems that typically flag data center or hosting provider IPs. The botnet operators monetize their infrastructure by selling proxy access on platforms such as Discord, with ties to hosting providers like Resi Rack LLC. The botnet’s rapid growth, especially a 300% surge in new bots in early October 2025, underscores its evolving threat landscape. The exploitation requires no user interaction and leverages exposed services and weak configurations, making it highly scalable and difficult to contain. The botnet’s use of residential proxies complicates detection and mitigation, posing a persistent threat to network security and availability.

For European organizations, the AISURU/Kimwolf botnet presents several significant risks. The botnet’s ability to conduct large-scale DDoS attacks can disrupt critical online services, impacting availability and causing financial and reputational damage. Organizations relying on residential proxy services or those with IoT devices similar to Android TV boxes may inadvertently become part of the botnet or have their traffic routed through compromised nodes, leading to privacy breaches and potential legal liabilities. The use of residential IPs by the botnet to mask malicious activity complicates threat detection and response efforts, increasing the risk of successful attacks. Additionally, the botnet’s exploitation of proxy services and consumer routers can lead to lateral movement within networks, potentially exposing sensitive data and infrastructure. The monetization of proxy bandwidth on underground markets incentivizes continued botnet growth and persistence, increasing the threat’s longevity. European ISPs and network operators may face increased burdens in identifying and mitigating infected devices, requiring enhanced collaboration and threat intelligence sharing. Overall, the botnet threatens the confidentiality, integrity, and availability of networked resources across Europe, especially in sectors dependent on stable internet connectivity and secure IoT deployments.

1. Disable or secure Android Debug Bridge (ADB) services on all Android devices, especially Android TV streaming boxes, to prevent unauthorized remote access. 2. Conduct network-wide scans to identify devices with exposed ADB or SSH services and isolate or remediate compromised devices promptly. 3. Monitor outbound traffic for unusual proxy activity or connections to known C2 domains associated with AISURU/Kimwolf. 4. Collaborate with ISPs and hosting providers to identify and null-route malicious C2 servers and infected residential proxy nodes. 5. Implement strict access controls and firmware updates on SOHO routers, particularly those running KeeneticOS, to close known vulnerabilities and prevent automated exploitation. 6. Employ advanced threat detection solutions capable of analyzing residential proxy traffic patterns to detect and block malicious communications. 7. Educate users and administrators about the risks of installing untrusted apps on Android devices and the importance of securing IoT devices. 8. Engage in threat intelligence sharing with industry peers and national cybersecurity centers to stay informed about emerging botnet infrastructure changes. 9. Consider network segmentation to limit the spread of infections within organizational environments. 10. Regularly audit proxy service usage and verify the legitimacy of proxy providers to avoid inadvertently using compromised residential proxies.