Krebs explains that Kimwolf (and its earlier sibling Aisuru) are botnets that rapidly enslaved millions of unofficial Android TV streaming boxes, largely by abusing residential proxy software that ships preinstalled on many of these devices. Once infected, the boxes are used for DDoS attacks and—more lucratively—turned into “residential proxies” that relay traffic for activities like ad fraud, credential-stuffing/account takeover attempts, and large-scale scraping. The article highlights evidence from XLab that Kimwolf and Aisuru share the same operators and infrastructure (including distribution from the same IP), then pivots to “who profits” by following the infrastructure and sales channels used to rent out this proxy capacity.

A major thread is infrastructure and resale: Krebs ties botnet-linked IP space to Resi Rack LLC, whose operators were present in a Discord marketplace (resi[.]to) where members routinely posted IPs used to proxy traffic through the botnet. The post also names proxy/SDK businesses that appeared to benefit—such as Plainproxies/ByteConnect (where researchers observed the relayed traffic being used for credential-stuffing), and it notes connections to 3XK Tech, a hosting network previously flagged for heavy DDoS/scanning activity. Another reseller called Maskify is described as offering extremely cheap “residential” bandwidth, which researchers argue is a red flag for unethical sourcing. Finally, Krebs describes how the botmasters responded to scrutiny by wiping chat history, doxing researchers, and using Ethereum Name Service (ENS) records to make their command-and-control harder to disrupt—ending with practical advice: if you have one of the affected TV box models, unplug and replace it rather than trying to “clean” it.

Source: https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/