Since early October 2025, Black Lotus Labs, the threat intelligence unit of Lumen Technologies, has null-routed traffic to more than 550 command-and-control nodes associated with the AISURU/Kimwolf botnet, a significant threat in the cybercrime landscape. The AISURU botnet and its Android-focused counterpart Kimwolf have grown to be among the largest botnets recently observed. They exploit enslaved devices to conduct distributed denial-of-service attacks and provide malicious traffic relay services via residential proxies. This approach enables threat actors to mask their activities by leveraging legitimate consumer devices.
Research revealed that Kimwolf targets compromised Android devices, predominantly unauthorized Android TV streaming devices, using a software development kit named ByteConnect. This SDK is either installed through questionable apps or directly deployed to expose an Android Debug Bridge service. By exploiting this vulnerability, the botnet has infected over 2 million devices, allowing attackers to route traffic through residential proxy networks and control a broad range of devices. The botnet infrastructure includes malicious domains such as proxy-sdk.14emeliaterracewestroxburyma02132.su, which notably surpassed Google in Cloudflare’s list of popular domains before being removed.
Further investigations uncovered that Kimwolf operators attempted to monetize proxy bandwidth through upfront payments on various platforms. Notably, Lumen’s Black Lotus Labs detected SSH connections originating from Canadian IPs linked to AISURU’s command-and-control infrastructure. They also identified domains tied to Utah-based hosting provider Resi Rack LLC, which promotes itself as a game server host but appears implicated in facilitating proxy service abuse. Independent reporting highlighted that key actors behind proxy services sold access on a now-defunct Discord server called resi.to, believed to be operated by individuals connected to the botnet command structure.
The botnet’s growth spiked dramatically in October 2025, with a 300 percent increase in new bots over a week, peaking at 800,000 bots by mid-month. These bots were frequently listed for sale on a single residential proxy platform. Between October and November 2025, Kimwolf’s infrastructure exploited vulnerabilities in multiple proxy services, such as PYPROXY, to identify and infect devices on internal residential networks. This technique allows the botnet to expand by turning infected devices into proxy nodes, which can be leased to criminals and used for malicious scanning and propagation activities.
In parallel, reports detailed a sophisticated proxy network of over 800 compromised KeeneticOS routers across Russian ISPs. These routers, likely compromised via stolen credentials, embedded backdoors, or firmware flaws, function as residential proxy nodes that mask malicious traffic by blending it with regular consumer internet usage. This tactic challenges detection systems, which often rely on IP reputation and hosting provider lists, as residential endpoints maintain legitimate reputations, enabling cybercriminals to operate beneath typical security thresholds.
Lumen’s Black Lotus Labs’ ongoing efforts to disrupt AISURU/Kimwolf illustrate the evolving threat actors’ reliance on consumer devices to support complex proxy networks and DDoS campaigns. The case highlights the difficulty in defending against attacks that exploit trusted residential infrastructure and the importance of continuous threat intelligence and network hygiene to mitigate such risks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
