Kimwolf botnet\u2019s swift rise to 2M infected devices agitates security researchers | CyberScoop<\/title> <meta name=\"description\" content=\"The botnet took an unusual path by abusing residential proxy networks, allowing it to control an untapped collection of unofficial Android TV devices.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/kimwolf-aisuru-botnet-lumen-technologies\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Kimwolf botnet\u2019s swift rise to 2M infected devices agitates security researchers\"> <meta property=\"og:description\" content=\"The botnet took an unusual path by abusing residential proxy networks, allowing it to control an untapped collection of unofficial Android TV devices.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/kimwolf-aisuru-botnet-lumen-technologies\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-14T20:00:20+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-14T20:00:23+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1768337335g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87426\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87426\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fkimwolf-aisuru-botnet-lumen-technologies%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fkimwolf-aisuru-botnet-lumen-technologies%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87426 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/kimwolf-aisuru-botnet-lumen-technologies\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.795275590551\">\n<div class=\"single-article__header-content\" readability=\"31.875\">\n<p> The botnet took an unusual path by abusing residential proxy networks, allowing it to control an untapped collection of unofficial Android TV devices. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Digital generated image of multicolored particles forming eye shape against black background. (Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Digital generated image of multicolored particles forming eye shape against black background. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.526935605111\"><body readability=\"90.417519908987\"><\/p>\n<p>The Kimwolf botnet, which splintered off from the record-setting Aisuru DDoS botnet in August, gained the widespread attention of security researchers when it temporarily claimed the <a href=\"https:\/\/radar.cloudflare.com\/domains?dateStart=2025-10-15&dateEnd=2025-10-31\">top spot in Cloudflare\u2019s global domain rankings<\/a> in late October 2025.<\/p>\n<p>Within weeks it spread like a wildfire, eventually taking over <a href=\"https:\/\/synthient.com\/blog\/a-broken-system-fueling-botnets\">more than 2 million<\/a> unofficial Android TV devices, according to Synthient, after its operators figured out how to abuse residential proxy networks for local control.<\/p>\n<p>\u201cThat is an untapped population of bots that they were able to access that nobody else was able to access from a botnet perspective,\u201d Chris Formosa, senior lead information security engineer at Lumen Technologies\u2019 Black Lotus Labs, told CyberScoop.<\/p>\n<p>Formosa, who has been monitoring the rise of Aisuru for more than a year, said the <a href=\"https:\/\/cyberscoop.com\/rapper-bot-ddos-botnet-disrupted\/\">seizure of Rapper Bot<\/a> paired with the arrest of its alleged leader in August paved the way for Aisuru and Kimwolf, which are run by some of the same cybercriminals, to gain full strength.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Behind the scenes, Lumen, along with industry partners, had gathered enough evidence on Kimwolf\u2019s backend to spring into action, by null-routing or dropping packets originating from the botnet\u2019s command and control (C2) infrastructure. <\/p>\n<p>Since early October, Lumen has blocked more than 550 C2s or IP addresses linked to Aisuru and Kimwolf\u2019s servers, said Ryan English, information security engineer at Black Lotus Labs.<\/p>\n<p>Lumen\u2019s efforts caught the ire of Kimwolf\u2019s operators, who responded by loading a profane greeting to the global network operator in a DDoS payload. This type of provocation, which Kimwolf\u2019s operators have often leaned into, is a clear sign the group is financially motivated and not supported by a nation-state, according to Formosa.<\/p>\n<p>Kimwolf\u2019s DDoS attacks are generally deployed in short bursts of one-to-two minutes, but some attacks have extended for hours, Formosa said. <\/p>\n<p>\u201cPrimarily, it seems like Minecraft is one of their favorites. Almost every day you can see Minecraft servers constantly getting blown up,\u201d he added.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Technical research published by <a href=\"https:\/\/blog.xlab.qianxin.com\/kimwolf-botnet-en\/\">XLab<\/a>, Synthient and <a href=\"https:\/\/www.linkedin.com\/pulse\/keeping-kimwolf-bay-putting-leash-massive-ddos-botnet-t1pyc\/\">Lumen<\/a> demonstrates how the botnet\u2019s operators have quickly spun up and abandoned infrastructure or shifted tactics to evade detection and remain operational. Researchers are hopeful Kimwolf has already reached its maximum potential, yet the botnet\u2019s operators could still exploit another proxy service and take over a new assortment of devices. <\/p>\n<p>Kimwolf hasn\u2019t targeted critical infrastructure thus far, but it has the potential to cause severe damage if it were used for that purpose. Meanwhile, the malicious traffic the botnet controls isn\u2019t harmless \u2014 DDoS attacks can spread beyond intended targets by causing downtime, congesting data and affecting unrelated services and operations.<\/p>\n<p>In September, just as Kimwolf was forming, the Aisuru botnet achieved a record-breaking <a href=\"https:\/\/blog.cloudflare.com\/ddos-threat-report-2025-q3\/\">29.7 terabits-per-second DDoS attack<\/a> that lasted 69 seconds, according to Cloudflare.<\/p>\n<p>\u201cThis is one of those really dangerous things that you see lying around that you just can\u2019t leave lying around, and hope that nobody with really bad intentions decides to pick it up and use it,\u201d English said. <\/p>\n<p>DDoS attacks aren\u2019t the most captivating form of cybercrime, but they still work and they are growing exponentially in size, he added. \u201cThat\u2019s the thing about defense in cybersecurity. You\u2019ve got to let them know that somebody is going to try to stop them.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7784810126582\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/kimwolf-aisuru-botnet-lumen-technologies\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kimwolf botnet\u2019s swift rise to 2M infected devices agitates security<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5787,2707,3470,282,78,5788,2952,5789,288,5790],"tags":[5791,2709,3474,286,86,5792,2955,5793,294,5794],"class_list":["post-8262","post","type-post","status-publish","format-standard","hentry","category-aisuru","category-black-lotus-labs","category-botnet","category-cybercrime","category-cybersecurity","category-kimwolf","category-lumen-technologies","category-synthient","category-threats","category-xlab","tag-aisuru","tag-black-lotus-labs","tag-botnet","tag-cybercrime","tag-cybersecurity","tag-kimwolf","tag-lumen-technologies","tag-synthient","tag-threats","tag-xlab"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aisuru\/\" rel=\"category tag\">Aisuru<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/black-lotus-labs\/\" rel=\"category tag\">Black Lotus Labs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/botnet\/\" rel=\"category tag\">botnet<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kimwolf\/\" rel=\"category tag\">Kimwolf<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lumen-technologies\/\" rel=\"category tag\">Lumen Technologies<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/synthient\/\" rel=\"category tag\">Synthient<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/xlab\/\" rel=\"category tag\">XLab<\/a>","tag_info":"XLab","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8262"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8262\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8262,"date":"2026-01-14T14:00:20","date_gmt":"2026-01-14T20:00:20","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87426"},"modified":"2026-01-14T14:00:20","modified_gmt":"2026-01-14T20:00:20","slug":"kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/14\/kimwolf-botnets-swift-rise-to-2m-infected-devices-agitates-security-researchers\/","title":{"rendered":"Kimwolf botnet\u2019s swift rise to 2M infected devices agitates security researchers"},"content":{"rendered":"