Researchers Null-Route 550+ Kimwolf & Aisuru Botnet C2 Servers

January 15, 2026 Faeem BLOGS 0

Security teams at Black Lotus Labs (Lumen Technologies) have successfully null-routed traffic to over 550 command-and-control (C2) servers tied to the AISURU/Kimwolf botnet, disrupting one of the largest active botnet infrastructures.

Botnet Overview

  • AISURU: A large-scale botnet used for DDoS attacks and malicious traffic relays.
  • Kimwolf (Android variant): Targets unsanctioned Android TV streaming devices with exposed ADB services, turning them into residential proxy nodes.
  • Scale: Over 2 million Android devices compromised, with 800,000 new bots added in October 2025 alone.

How Kimwolf Works

  • Delivered via ByteConnect SDK bundled in shady apps or pre-installed on TV boxes.
  • Converts devices into residential proxies, leasing bandwidth to threat actors.
  • Exploits flaws in proxy services (e.g., PYPROXY) to drop malware inside internal networks.
  • Propagates by scanning for devices with ADB mode enabled.

Key Findings

  • C2 domains:
    • proxy-sdk.14emeliaterracewestroxburyma02132[.]su
    • greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su
  • Hosting link: Domains resolved to IPs at Resi Rack LLC, a U.S.-based “game server hosting provider.”
  • Proxy monetization: Botmasters sold access via Discord server resi[.]to, run by individuals known as “Dort” and “Snow.”
  • Traffic surge: Null-routing triggered domain shifts and spikes in malware-hosting traffic.

Related Threat Activity

  • Russian ISP routers: Report from Chawkr found 832 KeeneticOS routers compromised across Russian ISPs (Net By Net, VladLink, GorodSamara).
  • Exploitation methods: Stolen credentials, embedded backdoors, or firmware flaws.
  • Residential proxy advantage:
    • Clean IP reputation.
    • Blends malicious traffic with normal consumer activity.
    • Evades detection compared to datacenter IPs.

Risks

  • Residential proxies: Provide attackers with stealth infrastructure for fraud, credential stuffing, and multi-stage attacks.
  • Consumer devices: Poorly secured TV boxes and routers are increasingly weaponized.
  • Detection challenges: Traffic appears legitimate, bypassing many reputation-based defenses.

Defensive Recommendations

  • Network monitoring: Look for anomalous SSH/HTTP traffic from consumer devices.
  • Patch & harden: Secure Android devices and routers against exposed ADB/SSH services.
  • Threat intel feeds: Incorporate IoCs from CERTs and Black Lotus Labs to block C2 domains/IPs.
  • Proxy awareness: Treat residential proxy traffic with higher scrutiny in fraud detection systems.

Takeaway

The takedown of 550+ Kimwolf/Aisuru C2 servers is a major disruption, but the botnet’s scale, monetization via residential proxies, and ability to blend into consumer traffic highlight how attackers are evolving. This campaign underscores the critical need to secure consumer IoT and edge devices, which are increasingly leveraged as stealth infrastructure for global cybercrime.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.