Today’s Topics:

• Kimwolf Android Botnet Spreads Through Exposed ADB and Residential Proxy Networks
• Maximum-Severity HPE OneView Vulnerability Added to CISA KEV as Exploitation Emerges
• How can Netizen help?

---

Kimwolf Android Botnet Spreads Through Exposed ADB and Residential Proxy Networks

A large Android botnet known as Kimwolf has quietly compromised more than two million devices by abusing exposed Android Debug Bridge (ADB) services and tunneling through residential proxy networks, based on recent findings from Synthient. The campaign illustrates how misconfigured Android-based devices, particularly low-cost smart TVs and set-top boxes, continue to provide fertile ground for large-scale abuse tied directly to commercial proxy ecosystems.

Kimwolf was first publicly documented by QiAnXin XLab in late 2025, where researchers identified links between the malware and an earlier botnet tracked as AISURU. Evidence collected since then points to Kimwolf being an Android variant or evolution of AISURU, active since at least August 2025. Synthient’s telemetry suggests the botnet may be responsible for several unusually large distributed denial-of-service events observed toward the end of last year, indicating that its scale and operational maturity extend well beyond opportunistic malware activity.

Once a device is compromised, Kimwolf converts it into a traffic relay capable of supporting both proxy services and coordinated DDoS attacks. Infection density remains highest in Vietnam, Brazil, India, and Saudi Arabia, though the overall footprint is global. Synthient observed roughly 12 million unique IP addresses per week participating in botnet-related activity, underscoring how frequently devices cycle in and out of active use as proxy nodes.

The initial access vector centers on Android devices that expose ADB over the network without authentication. Synthient reports that roughly 67 percent of infected devices fall into this category, making them trivial to compromise once discovered. The attackers rely on a scanning and delivery infrastructure that itself runs over residential proxy networks, allowing the malware to be installed at scale while blending into normal consumer traffic patterns.

There is growing suspicion that some devices may ship preloaded with software development kits from proxy providers, effectively enrolling them into proxy networks without user awareness. This appears most common among unofficial or gray-market Android TV boxes and streaming devices, which frequently run outdated firmware and ship with insecure default settings. These conditions create an environment where botnet operators can achieve persistent access with minimal resistance.

Recent activity shows Kimwolf leveraging proxy IP space rented from China-based provider IPIDEA as late as December 2025. IPIDEA responded on December 27 by deploying a patch intended to block access to local network devices and sensitive ports. The company markets itself as a large-scale IP proxy provider, advertising millions of rotating addresses refreshed daily, which helps explain how Kimwolf operators were able to reach such a wide population of exposed devices in a relatively short time window.

The attack flow relies on tunneling through proxy software running on infected systems to reach internal network surfaces that would otherwise be unreachable. Once access is established, the malware deploys a primary payload that listens on TCP port 40860 and connects back to a command-and-control endpoint at 85.234.91[.]247 on port 1337 for tasking. From there, compromised devices can be directed to relay traffic, participate in denial-of-service activity, or support follow-on campaigns.

Monetization sits at the core of Kimwolf’s operation. Beyond selling raw DDoS capacity, the botnet is closely tied to residential bandwidth resale. In several cases, infected devices were also loaded with the Plainproxies Byteconnect SDK, a bandwidth monetization platform that routes proxy tasks from centralized servers through consumer devices. Synthient identified at least 119 relay servers coordinating these activities, indicating a well-developed commercial backend rather than an ad hoc criminal setup.

Researchers also observed the same infrastructure being used to conduct credential-stuffing attacks against IMAP services and widely used online platforms, highlighting how proxy-based botnets blur the line between infrastructure abuse and direct account compromise. Pricing models uncovered during the investigation show residential proxy bandwidth being sold at aggressively low rates, including offers as cheap as twenty cents per gigabyte or flat monthly plans advertising unlimited throughput. This pricing strategy appears designed to seed early adoption among proxy resellers and downstream customers.

The presence of pre-infected consumer devices and secondary monetization SDKs suggests a tightening relationship between botnet operators and commercial proxy providers, whether through negligence, willful blindness, or indirect partnerships. The scale observed in the Kimwolf campaign reflects systemic weaknesses across the Android device supply chain, proxy software governance, and default security configurations.

Risk reduction hinges on limiting exposure at several points. Proxy providers can materially reduce abuse by blocking access to RFC 1918 private address space and sensitive local ports from customer proxy nodes. Organizations and consumers running Android-based devices should disable network-accessible ADB entirely or restrict it to authenticated, local-only use. Without these basic controls, low-cost embedded Android devices will continue to function as an unintentional backbone for large criminal infrastructure.

---

Maximum-Severity HPE OneView Vulnerability Added to CISA KEV as Exploitation Emerges

A maximum-severity vulnerability affecting HPE OneView has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, signaling active abuse of a flaw that sits deep inside enterprise infrastructure control planes. The issue, tracked as CVE-2025-37164, allows remote, unauthenticated code execution against HPE’s software-defined infrastructure management platform and carries a CVSS score of 10.0.

HPE OneView is commonly deployed as a centralized management layer for servers, storage systems, networking hardware, and firmware across enterprise environments. That positioning is what elevates the risk profile of CVE-2025-37164 beyond that of a typical web-facing service flaw. Successful exploitation grants an attacker direct execution capability inside a platform that already holds administrator-level authority over core infrastructure assets.

The vulnerability was disclosed by HPE on December 17, 2025, with hotfixes released for all affected versions ranging from 5.20 through 10.20. At disclosure time, security researchers warned that immediate remediation was necessary due to the trust assumptions surrounding infrastructure management platforms. OneView is often placed on internal networks with minimal exposure controls and limited monitoring, based on the expectation that only authorized administrators will ever interact with it.

CISA added CVE-2025-37164 to the KEV catalog on January 7, 2026, confirming evidence of exploitation activity observed in the wild. Inclusion in the catalog triggers mandatory remediation timelines for U.S. federal agencies under Binding Operational Directive 22-01, with a required action date of January 28. The KEV entry describes the issue as a code injection flaw that enables remote attackers to execute arbitrary commands without authentication.

Public details around real-world exploitation remain limited. HPE has stated that it has not received direct reports from customers confirming compromise, and Rapid7 has said it has not independently observed exploitation telemetry. Even so, the KEV designation indicates that credible exploitation evidence exists within government or partner visibility, placing this vulnerability into an assumed-breach category for affected environments.

The risk is amplified by the availability of weaponized exploit code. A Metasploit module targeting CVE-2025-37164 has been published, enabling unauthenticated remote code execution against unpatched OneView deployments. The module supports exploitation against versions below 11.00 where the vendor hotfix has not been applied, lowering the barrier for opportunistic or automated attacks.

Technical scoring reflects the severity. HPE assigned the flaw a CVSS v3.1 score of 10.0 due to its network-based attack vector, lack of required privileges, absence of user interaction, and full impact across confidentiality, integrity, and availability. NIST’s scoring places it slightly lower at 9.8, though both assessments classify the vulnerability as critical. EPSS modeling assigns an estimated 81 percent probability of exploitation within a 30-day window, placing the issue in the highest percentile of exploitation likelihood.

From an operational perspective, the concern extends beyond initial compromise. OneView’s role as an infrastructure orchestrator means attackers gaining execution can manipulate firmware, provision or decommission systems, alter network configurations, and establish durable persistence across environments that may otherwise appear hardened. That blast radius is what distinguishes CVE-2025-37164 from conventional application-layer flaws.

HPE recommends applying the released hotfixes immediately or discontinuing use of the product if mitigation is not possible. Security teams responsible for OneView deployments should treat this exposure as a control-plane incident, validating patch status, reviewing access paths, and reassessing network segmentation around management infrastructure. In environments where OneView is reachable from broader internal networks, containment and monitoring actions are warranted alongside patching to address potential pre-remediation access.

---

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

---