The post explains that Kimwolf is a fast-growing IoT botnet that has infected over 2 million devices and uses them both for large DDoS attacks and as “relays” for abusive traffic (ad fraud, account takeover attempts, large-scale scraping). What makes Kimwolf unusually dangerous is how it spreads: it abuses residential proxy services by sending malicious commands through the proxy endpoint and then scanning the endpoint’s local network to find and infect other vulnerable devices. Krebs says Kimwolf heavily targeted IPIDEA (a large China-based proxy provider), and that the devices most often compromised via this local scanning are unofficial Android TV streaming boxes—often sold for pirated streaming, frequently shipped with proxy software preinstalled, and lacking real security controls.

Even though you’d expect this to be mostly a “home network” problem, the article says recent research shows Kimwolf activity is surprisingly common in corporate and government environments. Infoblox observed that since October 1, 2025, nearly 25% of its customers had at least one device make a DNS query to a Kimwolf-related domain—an indicator that a scan was attempted (not proof of a successful compromise). Synthient found large numbers of IPIDEA proxy endpoints inside institutions, including ~33,000 at universities/colleges and nearly 8,000 inside U.S. and foreign government networks. Separately, the proxy-tracking firm Spur reported seeing residential proxies in hundreds of sensitive environments (including government and utilities), warning that if a proxy-infected device exists on a network, it can provide attackers a practical foothold to probe for weak internal systems.

Source: https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/