Kimwolf Botnet Infiltrates Government & Corporate Networks via IoT Devices

A new IoT botnet named Kimwolf has infected over 2 million devices, forcing them to participate in massive DDoS attacks and relay other malicious traffic. Its ability to scan local networks of compromised systems for additional IoT devices makes it a significant threat to organizations. Research indicates Kimwolf is surprisingly prevalent in government and corporate networks. The botnet grew rapidly in late 2025 by exploiting 'residential proxy' services, tricking them into relaying malicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold to anonymize and localize web traffic, with major services allowing traffic routing through devices globally. The malware that turns an internet connection into a proxy node is often bundled with mobile apps and games, forcing infected devices to relay malicious traffic including ad fraud, account takeover attempts, and mass content-scraping. Kimwolf primarily targeted proxies from IPIDEA, a Chinese service with millions of proxy endpoints for rent weekly. The operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints.