A massive, sprawling DDoS and proxy botnet, known as Kimwolf, has recently shown increased activity, growing to more than two million infected devices since August 2025. These millions of Android devices are globally distributed and quietly conscripted into DDoS campaigns without phishing or exploit chains. On the surface, these devices seem unremarkable and nonthreatening, while behind the scenes, they are being used to launch large-scale DDoS attacks.
Infection Before Installation
Recent research from threat intelligence firm Synthient reveals the state of the Kimwolf botnet and its growth. The most unsettling finding in the report is that many of the affected devices are compromised right out of the box, without the need for any additional intervention by threat actors to establish malware on the target device.
Synthient analyzed exposed devices and found that two-thirds (67%) of all Android devices are unauthenticated. Many of these devices were found to be shipped already infected with proxy software development kits, enabling Kimwolf’s malicious activity.
Geography of a Silent Epidemic
The Kimwolf botnet is distributed across the globe, with over two million Android devices infected worldwide and around 12 million unique IP addresses used weekly. There are heavy concentrations of affected devices in Vietnam, Brazil, India, and Saudi Arabia, demonstrating the widespread area of effect of the botnet.
Low-cost hardware markets and weak enforcement make ideal hunting grounds for Kimwolf, as they are more likely to have devices that are unprotected and infected out of the box. It is easier for compromises like this to occur in certain environments than others, as manufacturing and regulations differ between countries, but there are significant numbers of affected devices across many regions.
Why These Devices Are Perfect Weapons
The specific devices affected by Kimwolf—primarily smart TVs and streaming boxes—create an ideal environment for use in these attacks. These devices are always on and rarely monitored for security, and they often go unpatched as users forgo updates for long periods of time. They are also connected directly to high-bandwidth home networks, enabling their use in proxy DDoS attacks.
There have been previous major discoveries of botnets and hackers affecting similar devices, underscoring the widespread vulnerability of the technology. The devices coming pre-infected out of the box are an added bonus that makes them even easier for threat actors to exploit.
The Grafana Window Into the Machine
The research team at Synthient uncovered an instance of Grafana and received a screenshot that offers insight into the backend monitoring infrastructure. This helps to confirm both the widespread geographic distribution of the botnet and the massive spike in activity over the past two months. It also reveals a constantly rotating pool of residential IPs in use, highlighting the use of various IPs over time rather than reliance on a static set of devices in constant use.
DDoS at Consumer Scale
The use of millions of modest home devices without their owners’ knowledge empowers Kimwolf to launch massive attacks that overwhelm major websites. Many small streams, unsuspected by those buying and using the devices at home, combine into a flood that enables much larger attacks. Using a large number of home devices—many of which are pre-infected without the need for phishing or exploits—means that these attacks are difficult to block without causing collateral damage.
A Supply Chain Failure, Not a User Failure
These attacks are not the result of the device owners and users being careless about security, but rather the result of a failure in the supply chain. Opaque manufacturing practices, unverified firmware, and an ecosystem that rewards speed and low cost over security create a perfect storm of unauthenticated and vulnerable devices. The average consumer has little power to prevent the infection or malicious use of their Android devices when the manufacturing and distribution environment is not adequately secured.
The lack of transparency and oversight is a pervasive issue throughout the systems that produce and distribute these devices. “Kimwolf highlights a systemic failure across supply chains, device security, and network defense,” according to April Lenhard, Principal Product Manager, Cyber Threat Intelligence at Qualys. “IoT devices are now easily weaponized platforms where attacks are cheaper, anonymous, and resilient at an unprecedented scale.”
What This Means for Defenders
The widespread presence of the Kimwolf botnet has significant implications for enterprises, internet service providers, and policymakers. “For organizations, this means every unmanaged device on a remote employee’s home network is a risk enabler,” says Crystal Morin, Senior Cybersecurity Strategist at Sysdig. “While these devices typically don’t connect to corporate networks in most cases, their presence on the same home Wi-Fi network as a work laptop can create an opportunity for lateral movement, adversary-in-the-middle attacks, DDoS campaigns, or endpoint abuse.”
Device owners and users should also exercise healthy caution regarding new devices rather than assuming security by default. User education and quick updates are crucial to ensuring the security of devices against attacks like this. Traditional defenses developed to combat botnets often struggle to identify threats that look like normal household traffic, requiring a shifted approach and advanced security measures.
Rethinking Trust in Consumer Tech
The Kimwolf botnet is not an anomaly or an isolated incident, but a preview of the type of threat that can arise from current technology manufacturing and distribution practices. Without accountability and baseline security standards being enforced, the use of consumer devices as botnet proxies is not difficult for threat actors to pull off. The next major botnet threat may already be sitting on store shelves, waiting for consumer adoption to launch attacks.
