Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime
Lumen Spotted More Than 500 Command and Control Servers Since October
A major U.S. internet service provider said it’s blocked incoming traffic to more than 550 command and control servers botnets identified over the past four months that administer the Kimwolf and Aisuru botnets.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Kimwolf has grown to encompass at least 2 million devices through a novel technique that begins with hacking already compromised Android TV top boxes, research from cybersecurity startup Synthient disclosed earlier this year.
Kimwolf operators scan for vulnerable Android operating system devices that other bad actors have already preloaded with malware converting the devices into residential proxies. Hackers value residential proxies since they can route malicious activity to look like ordinary internet traffic originating from a suburban TV. The flaw operators scan for an exposed Android Debug Bridge service. ADB is a command line tool allowing developers to remotely access devices.
Kimwolf is a successor to the Aisuru botnet. The two are almost certainly operated by the same cybercrime group, Chinese cybersecurity firm Xlab concluded last December in a blog post highlighted by independent cybersecurity reporter Brian Krebs.
“Over a brief period, the daily average of bots grew from 50,000 to 200,000,” Black Lotus Labs wrote. Kimwolf is able to spread quickly due to an unusual feature, Synthient analysis found. Rather than only pressing a single malicious Android device into its botnet, it exploits domain name system settings to discover and exploit other devices on the same local network. One Android device doubling as a residential proxy is a gateway to a slew of devices that become bots.
Synthient observed Kimwolf operators reselling proxy bandwidth and selling access to botnets to launch distributed denial of service attacks. “In early October, we observed a 300% surge in the number of new bots added to Kimwolf over a seven-day period, which was the start of an increase that reached 800,000 total bots by mid-month. Nearly all of the bots in this surge were found listed for sale on a single residential proxy service,” Black Lotus Labs said.
Black Lotus Labs began to identify Aisuru backend C2 servers after noticing they contained the phrase 14emeliaterracewestroxburyma02132.su in them. At one point in October, a domain with that phrase exceeded Google.com in a domain rankings kept by Cloudflare, observed Xlab.
Network security firm Infoblox on Wednesday said a scan of its cloud customers found that a quarter made a query to a known Kimwolf domain since Oct. 1. “To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” the firm wrote.
Between Oct. 20 and Nov. 6, 2025, Kimwolf’s C2 infrastructure scanned for available PYPROXY and other vulnerable device connections. In turn, the IP addresses of 2 million infected Android devices were made public.
Typically listed online for rent by threat actors, these IP addresses are then leased for access, using the infected node to further enable propagation on other vulnerable networks.
Cybersecurity companies and the FBI have stepped up efforts to crack down on residential proxies although they continue to propagate through off-label digital devices primarily manufactured in China, whether through a corrupted supply-chain or with the connivance of manufacturers (see: FBI Warns of BADBOX 2.0 Botnet Surge in Chinese Devices).