Kimwolf botnet and unofficial Android TV boxes

[madires]

The Kimwolf Botnet is Stalking Your Local Network - https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

TL;DR:
- new botnet with around 2 million devices
- weakness of hidden proxy service enables access to local networks (often preinstalled on unofficial Android TV boxes)
- takeover of devices with Android Debug Bridge enabled (nearly all unofficial Android TV boxes)

[iMo]

For example, opening a command prompt and typing “adb connect” along with a vulnerable device’s (local) IP address followed immediately by “:5555” will very quickly offer unrestricted “super user” administrative access.

Hopefully our Rigols are not infected.. 

[madires]

Another botnet based on Android devices:
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm - https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

And some numbers about Kimwolf from the recent NANOG 97:
-  The Kimwolf Aftershock: Residential Proxy Botnets One Year Later - https://nanog.org/events/nanog-97/content/5771/

A US residential proxy costs up to about US$ 95 for two weeks. It's a quite profitable business!