Full Report
The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025. AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS)
Analysis Summary
# Incident Report: AISURU/Kimwolf Botnet Disruption
## Executive Summary
Black Lotus Labs at Lumen Technologies initiated active defensive measures against the AISURU/Kimwolf botnet ecosystem starting in early October 2025 by null-routing over 550 associated Command and Control (C2) nodes. The botnets, primarily targeting Android devices (Kimwolf) and leveraging residential proxy networks, had reached massive scale, infecting over 2 million devices and being used to facilitate DDoS attacks and illicit proxy services. The primary response involved proactive network blocking to degrade the botnet infrastructure.
## Incident Details
- Discovery Date: September 2025 (Initial identification of suspicious SSH connections linked to Aisuru backend)
- Incident Date: Ongoing since early October 2025 (Start of null-routing activities)
- Affected Organization: Lumen Technologies (as the responding entity, Black Lotus Labs)
- Sector: Cybersecurity Research/Managed Security Services
- Geography: Global (Based on C2 infrastructure analysis, including connections traced to Canadian and US-based hosting providers)
## Timeline of Events
### Initial Access (Botnet Recruitment Mechanism)
- Date/Time: Prior to October 2025; Surge observed starting early October 2025.
- Vector: Delivery of the ByteConnect SDK via pre-installed, sketchy Android applications, primarily targeting unsanctioned Android TV streaming devices.
- Details: Compromised devices were turned into residential proxies. A significant surge in Kimwolf bots (800,000 total by mid-October) was observed, with nearly all selling proxy bandwidth on a single service.
### Lateral Movement
- Date/Time: October 20, 2025, and November 6, 2025
- Vector: Exploitation of security flaws in various proxy services (specifically mentioned PYPROXY).
- Details: The Kimwolf C2 architecture scanned these proxy services, allowing it to interact with devices on the internal networks of residential proxy endpoints and deploy the malware, which then repurposed the device for proxying services. Threat actors then used these nodes to scan for new victims with exposed Android Debug Bridge (ADB) enabled.
### Data Exfiltration/Impact
- Date/Time: Ongoing (Mechanism of compromise)
- Vector: DDoS attacks and serving as relays for malicious traffic via residential proxy services.
- Details: The enslaving of devices to participate in DDoS attacks and providing weaponizable residential proxy bandwidth for sale, generating revenue for threat actors.
### Detection & Response
- Date/Time: September 2025 (Detection) / Early October 2025 (Response commencement)
- Vector: Analysis of backend C2 infrastructure.
- Details: Black Lotus Labs identified suspicious residential SSH connections originating from Canadian IPs linking C2 nodes. Response involved null-routing traffic to over 550 identified C2 nodes associated with AISURU/Kimwolf.
## Attack Methodology
- Initial Access: Distribution of malicious SDK (ByteConnect) via compromised Android applications/devices.
- Persistence: Not explicitly detailed, but implied through the persistent nature of the botnet on infected devices.
- Privilege Escalation: Not specified; likely leveraging existing vulnerabilities or misconfigurations on the target devices (e.g., exposed ADB).
- Defense Evasion: The use of infrastructure that frequently shifts domains and IP addresses (e.g., C2 domain migration after one successful null route) and leveraging widely distributed, legitimate-looking residential proxy networks.
- Credential Access: Not specified.
- Discovery: Scanning other proxy services like PYPROXY for vulnerable internal networks connected to proxy endpoints.
- Lateral Movement: Exploiting flawed proxy services to drop malware onto adjacent internal network devices with enabled ADB.
- Collection: Not applicable in the traditional sense, as the goal was infrastructure building (proxy services).
- Exfiltration: Not applicable; the primary outcome was using infected devices to relay traffic or participate in attacks.
- Impact: Utilization of enslaved devices for DDoS participation and monetization via residential proxy sales.
## Impact Assessment
- Financial: Threat actors were generating revenue through the sale of proxy bandwidth. Potential financial impact from DDoS attacks originating from the botnet is high, though not quantified here.
- Data Breach: No specified data breach reported, focus was on device compromise for service provisioning.
- Operational: Significant operational infrastructure (C2 nodes) was successfully neutralized by the response team.
- Reputational: High public exposure, with one C2 domain surpassing Google in Cloudflare's top 100 list before being scrubbed, demonstrating the sheer scale of the operation.
## Indicators of Compromise
- Network Indicators (Defanged):
- C2 Backend IP Example: 65.108.5[.]46 (Linked to initial SSH activity)
- C2 Infrastructure IP Example: 194.46.59[.]169
- C2 Domain Example 1: proxy-sdk.14emeliaterracewestroxburyma02132[.]su
- C2 Domain Example 2: greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su (Resolved to 104.171.170[.]21 and later 104.171.170[.]201)
- File Indicators: ByteConnect SDK (Used to establish proxy functionality).
- Behavioral Indicators: Large, rapid surge in Kimwolf bot enrollment; devices appearing for sale on residential proxy service sites; use of SSH connections between identified C2 IPs.
## Response Actions
- Containment measures: **Null-routing traffic** directed to more than 550 C2 nodes associated with AISURU/Kimwolf infrastructure since early October 2025.
- Eradication steps: Targeting and neutralizing C2 infrastructure was the primary eradication step mentioned.
- Recovery actions: Not detailed, but implicitly involves service providers securing their networks against further exploitation utilized by the malware.
## Lessons Learned
- The deep integration between malware infrastructure (botnets) and illicit commercial services (residential proxies) presents a significant, monetizable threat landscape that drives rapid expansion.
- Infrastructure used by threat actors relies on specific hosting providers (e.g., Resi Rack LLC) and community platforms (Discord servers like resi[.]to) which can serve as valuable investigation leads.
- C2 domains can rapidly achieve massive visibility (e.g., placing among the top 100 domains listed by CDNs), requiring immediate infrastructure countermeasures.
## Recommendations
- Security vendors and infrastructure providers must actively monitor for and block traffic associated with known botnet domain patterns, especially those related to residential proxy networks.
- Collaboration is necessary to identify and sever the links between proxy service operators and threat actors selling access to compromised nodes.
- Organizations must strictly control and monitor Android Debug Bridge (ADB) exposure on all connected smart devices, particularly IoT and streaming devices.