A new IoT botnet called Kimwolf has infiltrated over 2 million devices, forcing them to participate in massive DDoS attacks and relay malicious traffic. This botnet poses a serious threat to organizations, especially those with government and corporate networks, by exploiting vulnerabilities in residential proxy services and Android TV boxes.

Kimwolf's spread was rapid in late 2025, using residential proxies to relay malicious commands. These proxies, often bundled with mobile apps, can turn devices into proxy nodes, relaying abusive traffic including ad fraud and account takeover attempts. The botnet primarily targeted IPIDEA, a Chinese service with millions of proxy endpoints, allowing it to scan for and infect other vulnerable devices on local networks.

Infoblox's research revealed that nearly 25% of its customers had devices querying Kimwolf-related domains, indicating the botnet's widespread presence across various industries. This includes education, healthcare, government, and finance. Experts warn that a single proxy infection can lead to significant security risks for organizations.

The security community is closely monitoring Kimwolf's impact, with upcoming reports on its connection to the Badbox 2.0 botnet. Organizations are advised to secure their networks against residential proxy infections, as these can provide attackers with a foothold to probe other devices on the local network.