HundredLotTrader2d ago
BrianKrebs

New, by me: The Kimwolf Botnet is Stalking Your Local Network

Today's story is a long overdue series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and it’s time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Jan 2 at 2:35pmWeb
Show threadBrianKrebsJan 2

Some implications from the research in today's story:

"Consider the following scenario, in which the mere act of allowing someone to use your Wi-Fi network could lead to a Kimwolf botnet infection. In this example, a friend or family member comes to stay with you for a few days, and you grant them access to your Wi-Fi without knowing that their mobile phone is infected with an app that turns the device into a residential proxy node. At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider."

"Miscreants like those behind Kimwolf then use residential proxy services online to access that proxy node on your IP, tunnel back through it and into your local area network (LAN), and automatically scan the internal network for devices with Android Debug Bridge mode turned on."

"By the time your guest has packed up their things, said their goodbyes and disconnected from your Wi-Fi, you now have two devices on your local network — a digital photo frame and an unsanctioned Android TV box — that are infected with Kimwolf. You may have never intended for these devices to be exposed to the larger Internet, and yet there you are."

"Here’s another possible nightmare scenario: Attackers use their access to proxy networks to modify your Internet router’s settings so that it relies on malicious DNS servers controlled by the attackers — allowing them to control where your Web browser goes when it requests a website. Think that’s far-fetched? Recall the DNSChanger malware from 2012 that infected more than a half-million routers with search-hijacking malware, and ultimately spawned an entire security industry working group focused on containing and eradicating it."

Show threadJonas SchäferJan 2

@briankrebs Yet another reason to only let guests into a separate guest network with client isolation turned on.

(Other reasons like "I don't want to manage authentication for audio streaming inside my LAN so anyone in the _real_ network can make loud noises all over the place" also apply.)

Show threadwiredogJan 2

@briankrebs

If you’re only downloading apps from the official App Store you should be ok, assuming you’re using devices from a reputable source. And of course iOS devices are immune to this particular threat.

Show threadDeadly HeadshotJan 2
@wiredog
Given how often dodgy apps get onto Google Play, you're probably safer only installing apps from FDroid...
@briankrebs
Show threadAndrew HodgsonJan 2
@briankrebs @klittle667 I actually had an instance over Christmas where a family member used an infected laptop on my parent's wifi and caused a traffic spike that I caught fairly by chance. Its lead me to start using IDS on my network.
Show threadKieran LJan 2
@andrew Really? I've often thought about it but wasn't sure of the overhead it would put onto my UCG ultra. I already use pihole that has several malware domain lists, and I did have firewall rules blocking google DNS, but that was to force nest products to use my DNS servers and not their hard-coded ones.
Show threadBorrisJan 2

@klittle667 @andrew I have IDS set up on my parents' Gateway Lite. The connection is only 200 Mb/sec symmetric, so it doesn't seem to take much of a hit. In a year or so, I've yet to see it actually detect anything, which I guess is a good thing.

I don't have a UniFi router at home (still using an old Edgerouter4) so no IDS there.

Show threadKieran LJan 2
@BorrisInABox @andrew I’ve enabled it in logging mode. Will keep it like that for a few days and then start blocking.
Show threadAndrew HodgsonJan 3
@klittle667 @BorrisInABox Yeah I'm also in logging mode. Not sure I want to block just yet, something to keep in mind if something isn't working. I have set up Alarm Manager to alert me via email if something is detected. I tested this using a Bittorrent client and it worked.
Show threadKieran LJan 3
@andrew @BorrisInABox I'm assuming I have it set up via push on the mobile app; it certainly looks like I do, but I'll also test by doing some probing with a torrent client, port scans and maybe some vulnerability scanning and see if it shows up in the log.
Show thread🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Jan 2

@briankrebs Hi Sir sorry for the disturb. A swift question is it possible to detect such activity via https://check.labs.greynoise.io/ #greynoise #botnet

Or does one have to use dedicated scans via wireshark and #shodan and the likes?

GreyNoise IP Check

Check if your IP address has been observed by GreyNoise sensors. Instantly detect malicious activity, compromised devices, and security threats affecting your network.

GreyNoise Labs
Show threadMark CrockerJan 2
@briankrebs It also makes me worry about things like #Concast's automatic sharing of access points with the xfinitywifi SID. So anybody wondering by with an #XFinity account can use your AP. One would hope they secure it well enough that this is case wouldn't be vulnerable to Kimwolf🤞
Show threadBrianKrebsJan 2
@mcrocker My understanding is that it is exactly the traditional cable ISPs that are having the most problem stopping this lateral movement when customers are running proxy endpoints.
Show threadJulius Schwartzenberg - ЮліусJan 2

@briankrebs the gist is that one should consider their home network part of the public internet when handling security for it.

The article misses some aspects as it's quite focused on IPv4 and RFC1918. I've seen cheap routers that assign all devices publicly reachable address without putting any firewall in place. Some of these routers have adbd too although usually disabled ootb.

Sad to read about the doxxing, that's really nasty. Hopefully that won't bring anything bad! Take care!!

Show threadMartin SeegerJan 2
@briankrebs I always felt paranoid for having a dedicated network and ip connection for visitors 😳
Show threadOliver VanderbJan 3

@masek @briankrebs

Guest Network. Only on if a guest visits me and needs to have access.

On the other hand I have only a TV ( besides the PCs and mobiles ) which is connected to the internet. All other IOT devices are ESP8266/ESP32 programmed by myself without the possibility to update OTA. So you'll see these on the main network, but never have the possibility to hijack them because there is nothing to hijack.

Show threadAngela ScholderJan 2
@briankrebs Guests are in a guest network, and definitely don't get access to our own home-office network.
Show threadHundredLotTrader2d ago
@briankrebs I kid you not the last three weeks of my life have been spent dealing with what I suspect was exactly this, I did not trust any DNS query from my home network for several weeks and literally had to firewall and airgap bootstrap clean copies of every single device I owned. I still have un trusted devices in faraday bags and trusted ones are stored in the same.
Show threadBrianKrebsJan 2
It appears that the company that did the bulk of the heavy lifting and research on Kimwolf -- Synthient -- is now under a DDoS attack. This is my shocked face. Read it while it's still live, lol.
Show threadWendy NatherJan 2
@briankrebs I’m sorry, but “Krebs Big Forehead Fan Club” is hilarious. 😆
Show threadWendy NatherJan 2

@briankrebs I happen to be the founder of

#KrebsSecretRecipeFanClub

#KrebsUnnaturalASCIIFanClub

#KrebsMustardDeficiencyFanClub

#KrebsShoesaPhoneFanClub

Show threadMichael WeissJan 2
@wendynather @briankrebs what about the #KrebsCeilingFanClub
Show threadDave MuthJan 2
@mweiss @wendynather @briankrebs Beware your smart ceiling fans!
Show threadDavid PollakJan 2
@wendynather @briankrebs unnatural ascii? EBCDIC?
Show threadElvis PrestwickJan 2
@briankrebs Is there anything known about the DNS lookup referencing an address in West Roxbury or is this just another impenetrable inside joke?
Show threadLord Caramac the Clueless, KSCJan 2
@briankrebs I haven't got a smart TV or anything like that. I've got a dumb Sharp 42" TV from ten years ago, barely recent enough to support DVB2, and it's connected to my media centre PC which is a big old tower PC running Linux Mint which handles all the "smart" things.
Show threadLord Caramac the Clueless, KSCJan 2
@briankrebs I'm a bit worried about my official Vodafone cable router though. I've got a Fritzbox with which I'd like to replace it, but I always miss the time window in which to call the customer service line.
Show thread🐜Jan 2
@briankrebs That is why I use guest network. Or better, don't use these.
Show threadPacmanJan 2
@briankrebs This interests and worries me and I'm very grateful to Brian Krebs but it is of little use to me because I can't understand the jargon. I wish there were a translation utility which would run through this and tell me in lay terms which devices I should unplug and scrap, which apps I should look for and exterminate, which devices I should re-flash, etc. with a list of brand names and designators that I might find on the potentially dangerous boxes and apps.
Show threadBrianKrebsJan 2

@pacman That information is all in the story. Here's a list of the model numbers and device names most commonly seen in the botnet:

https://github.com/synthient/public-research/blob/main/2026/01/kimwolf/product_devices.csv

https://krebsonsecurity.com/wp-content/uploads/2025/12/china-overseasuseonly.png

What I said in the story that is what you're asking for doesn't really exist at the consumer level. Hence, the need for more paranoia about these devices in general.

Show threadPacmanJan 2
@briankrebs Wow ! Thanks for this instant response. You sent that OTT TV image but it's not in the list. There are 3 other OTT items in the list. Also, there is an item "Smart TV". we have a 10 year old (as far as I remember) Samsung TV which calls itself Smart TV. Should I throw it out ?
Show threadPacmanJan 2
@briankrebs Thanks again. One clear message for me: don't let visitors use our internet router, even the Visitor facility (I don't know whether its Visitor facility has the latest protection features installed).
Show threadAllpointsJan 2

@briankrebs This is one of the reasons I keep all the IoT/customer surveillance devices on their own network and block access from that network to other internal spaces It's not a perfect and doesn't prevent that network from becoming a cesspool, but at least it isolates the blast radius.

I do periodic checks of the outbound traffic from that network looking for suspicious activity but it's tough given how chatty even legitimate boxes are.

#Security

Show threadGilJan 2
@briankrebs
#iptv
I get this question daily on the Discord, "should I buy this Rockchip or Amlogic TV box?" Frustrating because we always answer negative but they buy it anyway. 🤷
Show threadkatzenbergerJan 2

@briankrebs

Excellent read, thank you!

Show threadSpaceLifeFormJan 2

@briankrebs

I await part II. Will be interesting.

Show threadPhillip UptonJan 2

@briankrebs

Perhaps a stupid question…

How much does this rely on the internal network being 192.168.0.x?

(I could not tell from the article as to whether that was an example… or specifically how it worked)

Show threadLogicalErzorJan 2

@briankrebs good piece on the kimwolf botnet, but i disagree with the solutions (buy name brands, check Synthient for compromise, use guest wifi). these treat symptoms, not causes. there will inevitably be another kimwolf botnet b/c of industry malpractice

the issue is lack of regulation and audits for hw/sw + anti-circumvention laws that block independent shops from flashing custom fw: https://media.ccc.de/v/39c3-a-post-american-enshittification-resistant-internet

projs like pmOS, lineageos, and mobian help users reclaim control of their hw

A post-American, enshittification-resistant internet

Trump has staged an unscheduled, midair rapid disassembly of the global system of trade. Ironically, it is this system that prevented all...

media.ccc.de
Show threaddatenwolfJan 3

@briankrebs whenever I do network threat modelling, lateral movement has been on the top spot for a long time for me. Whenever I consult IT departments I always tell them:

Always assume your whole network being totally exposed to the Internet, that there are no edge firewalls to filter traffic. If you design your network to be resilient under that assumption, you're 90% there.

Show threadAndreaJan 3
@briankrebs oh man those Chinese underpriced android boxes have always been shady
Show threadnicole mikołajczykJan 6
@ott0disk @briankrebs they're not overpriced. even if they came without malware preinstalled, they're far from being usable products and you could get some xiaomi or chromecast if you pay just a bit more
Show threadRay McCarthyJan 5

@briankrebs
The only things here on LAN are PCs (mostly Linux), Tablets and Phones. Android is an issue, as are apps.
No BD player, home theatre or TV gets a WiFI password or cable. Google & Vendors not trustworthy on Privacy, apart from security issues.
Also simply won't buy gadget / device that needs Internet to work, like doorbell, security, heating, etc.

Why do Routers have a uPNP at all? It's evil. No router ever deployed on default settings.

Show threadRay McCarthyJan 5

@briankrebs
A lot of the streaming boxes and sticks are deliberately evil. Some stupidity. The Streaming services are not good on privacy.

Sat TV boxes and Projector have no WiFi password.

The Nintendo Switch and Steamdeck have WiFi.

Router is Fritz!box with even ISP and vendor access disabled.

Show threadCarl (He/Him)Jan 5
@briankrebs That is more than slightly scary. I don't have any digital photoframes or TV boxes (mostly because I don't watch TV), but ....