Security researchers at Lumen Technologies’ Black Lotus Labs say they have taken action against a large command-and-control infrastructure tied to the AISURU and Kimwolf botnets. Since early October 2025, the team has null-routed traffic linked to more than 550 C2 nodes connected to the operation.
AISURU and Kimwolf, including its Android variant, have grown into some of the most active botnets seen recently. They are designed to hijack infected devices and use them for distributed denial-of-service attacks, while also funneling traffic through residential proxy networks for criminal use.
More insight into Kimwolf surfaced last month after researchers at QiAnXin XLab released a detailed breakdown of the malware. Their findings showed that the botnet primarily targets unregulated Android TV streaming boxes. Once compromised, these devices are turned into residential proxy nodes through a software development kit called ByteConnect. The SDK is delivered either directly or bundled inside questionable pre-installed apps.
As a result, the campaign has spread aggressively. More than two million Android devices with exposed Android Debug Bridge services have been pulled into the botnet. By tunneling through residential proxy networks, the attackers were able to quietly access and infect a massive number of TV boxes.
Further reporting from Synthient revealed that operators behind Kimwolf were actively trying to sell off proxy bandwidth, offering access in exchange for upfront payments.
Black Lotus Labs said it first noticed suspicious activity in September 2025, identifying residential SSH connections coming from several Canadian IP addresses. These connections were traced back to AISURU’s backend C2 infrastructure, including activity tied to the IP address 65.108.5[.]46. The attackers used SSH to reach another system at 194.46.59[.]169, associated with a proxy SDK domain ending in 14emeliaterracewestroxburyma02132[.]su.
That domain later gained wider attention after it briefly overtook Google in Cloudflare’s list of the top 100 most requested domains in November 2025. Cloudflare ultimately removed it from the ranking due to its suspicious nature.
In early October, researchers uncovered an additional C2 domain, greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su, which resolved to an IP address linked to Resi Rack LLC, a Utah-based hosting provider that markets itself as a premium game server host.
This connection is notable because investigative journalist Brian Krebs recently exposed how operators behind multiple botnet-powered proxy services were advertising and selling access through a Discord server known as resi[.]to. The report linked Resi Rack’s co-founders to the operation, alleging they had been selling residential proxy services via Discord for close to two years.
The now-defunct Discord server was reportedly run by an individual known as “d,” believed to be short for the handle “Dort,” while another figure named Snow is suspected to have managed the botnet itself.
Black Lotus Labs reported a dramatic surge in Kimwolf activity in early October. Over just one week, the number of newly added bots jumped by roughly 300 percent. That growth continued, reaching about 800,000 bots by mid-October. According to the researchers, nearly all of those devices were being advertised for sale through a single residential proxy service.
Between October 20 and November 6, Kimwolf’s C2 infrastructure was also observed scanning PYPROXY and similar platforms for vulnerable systems. This behavior stemmed from the botnet’s abuse of security weaknesses in certain proxy services, which allowed attackers to reach devices inside residential networks and deploy the malware.
Once infected, those devices were converted into proxy nodes, with their ISP-assigned public IP addresses listed for rent by proxy providers. The attackers then leased access to those nodes and used them to scan local networks for additional devices with ADB enabled, allowing the botnet to spread further.
After one of the C2 domains was successfully null-routed in October, Black Lotus Labs observed the infrastructure shifting again. The greatfirewallisacensorshiptool domain moved to another Resi Rack LLC IP address, 104.171.170[.]201. Around the same time, researchers detected a sharp spike in traffic tied to 176.65.149[.]19:25565, a server hosting the malware and operating within an ASN also associated with AISURU activity.
These findings emerged alongside a separate report from Chawkr, which documented a large-scale proxy network made up of 832 compromised KeeneticOS routers spread across multiple Russian internet service providers, including Net By Net Holding LLC, VladLink, and GorodSamara.
According to Chawkr, the routers shared identical configurations and SSH fingerprints, strongly suggesting automated mass exploitation. Each affected device exposed both HTTP and SSH services, making them ideal candidates for use as residential proxy nodes.
Because these hijacked home and small-office routers appear to be normal residential endpoints, they allow attackers to blend malicious activity into everyday internet traffic. Unlike data center IP addresses, residential IPs often avoid reputation-based detection systems, making them far more effective for covert operations.
As Chawkr noted, the clean reputation and residential classification of these IP addresses enable malicious traffic to masquerade as ordinary user behavior, slipping past security controls that would otherwise block traffic from known hosting providers or proxy services.