Lumen Technologies' Black Lotus Labs has been actively countering the AISURU/Kimwolf botnet, which has infected over 2 million Android devices since early October 2025. These botnets exploit compromised Android TV streaming devices, primarily by using a software development kit (SDK) called ByteConnect. This SDK is delivered through questionable apps, turning these devices into residential proxies that facilitate distributed denial-of-service (DDoS) attacks and relay malicious traffic. A recent analysis from QiAnXin XLab detailed how Kimwolf operates, particularly by using exposed Android Debug Bridge (ADB) services. In September 2025, Black Lotus Labs detected unusual SSH connections from Canadian IPs linked to AISURU’s command-and-control infrastructure. Notably, a domain associated with the botnet surpassed Google in Cloudflare's rankings, prompting its removal from the list. The botnet's architecture allows it to scan for vulnerable devices within local networks, exploiting security flaws in residential proxy services to spread the malware further. A significant spike in new bots—300% over a week—was reported in early October, aligning with findings that many of these bots were available for sale on a single residential proxy service. Kimwolf’s actors are also attempting to monetize proxy bandwidth, revealing how the botnet is intertwined with various proxy services. This network includes compromised KeeneticOS routers in Russia, which are exploited for their ability to blend malicious activities into normal traffic, making detection challenging. Infoblox found that nearly 25% of its cloud customers queried a Kimwolf domain since October 1, 2025, indicating significant exposure to these threats. Devices like smartphones and laptops are being co-opted to scan for more vulnerable devices within local networks. The situation underscores the evolving tactics of threat actors who leverage everyday consumer devices for broader malicious purposes.