Worldwide Kimwolf Malware
Massive "Kimwolf" malware outbreak infecting smart TVs, streaming boxes & home devices worldwide. Once one infected device joins your network, it spreads to others. Remove cheap streaming boxes, update all devices, and install security software. More details inside.
URGENT SECURITY ALERT
Worldwide Malware Outbreak Affecting Home Networks
SUMMARY: A massive malware outbreak called "Kimwolf" is infecting smart TVs, streaming boxes, digital picture frames, and other devices in home networks worldwide. Once one infected device enters your network, it actively scans for and infects other devices. We believe recent holiday travel, with family members and friends, visiting and bringing infected phones and devices into homes, has accelerated the spread. Protect yourself by removing cheap no-name streaming devices (anything that promises cheap/free TV or movies), keeping all devices updated, avoiding any "jailbroken" or "hacked" or "friend fixed it for me so I get a ton of free TV and movies" FireStick, FireTV, FireCube, Roku, and similar devices EVEN if they come from legitimate sources like Amazon, eBay, etc. You should ensure you have installed security software on phones and computers, and make sure they are all up to date! More detailed information below, and more to come in the days ahead.
What's Happening
Dangerous malware called Kimwolf has infected millions of devices worldwide and is spreading rapidly.[1] With the first known detections in late August of 2025, it has spread exponentially over the last few months.[2] One of it's malicious Command and Control domains briefly surpassed Google as the most visited domain on earth! Our first initial detections of "something" were in the second week of December, and we continue to see subscribers with a massive infection rate. This malware targets smart TVs, streaming boxes, digital picture frames, WiFi cameras, and Android devices (primarily). It hijacks your internet connection to route criminal activity through your home, and can participate in attacks that have reached record-breaking scale.[1]
IT SPREADS: Once a single infected device enters your home network, it actively scans for and infects other vulnerable devices on the same network.[1] We believe the spike in activity around the holidays is directly related to people traveling, family members and friends visiting, with possibly infected phones and devices. This is essentially a malware epidemic that spreads as people move about.
What You Can Do Right Now
1. Remove cheap, off-brand streaming boxes and devices that promise "free" content or came from unknown (or disreputable) manufacturers or sources.
WARNING: Security researchers and the FBI have confirmed that many of these devices come with malware pre-installed directly from the factory - they are infected before you even open the box.[3] These devices are sold on major US retailers including Amazon, eBay, and AliExpress.[4] In July 2025, Google filed a lawsuit against a botnet operation involving over 10 million infected devices.[5] Many of the same infected models are still being sold today.
2. Update ALL Smart/WiFi-connected devices - this includes far more than you might think:
Smart TVs, streaming devices (Roku, Fire TV, Apple TV), cable/satellite boxes, digital picture frames, WiFi cameras and video doorbells, baby monitors, solar monitoring systems, smart thermostats (Nest, Ecobee), smart speakers (Echo, Google Home), WiFi light bulbs and smart plugs, robot vacuums (Roomba, etc.), WiFi garage door openers, gaming consoles, and any other WiFi connected device.
WHY THIS MATTERS: "Smart" devices are enormous security problems because most manufacturers of these devices are not security or software experts - they make and sell light bulbs, thermostats, or cameras.[6] They have ZERO incentive (and they make no money) by providing ongoing software fixes and security patches on the devices they sell! (so, they usually dont) Security research shows that manufacturers rarely provide firmware updates, and some devices are designed with no way to update at all.[7] Studies show over half of smart device owners have never updated their devices even once.[8] Cheap WiFi light bulbs, no-name (or name you can't pronounce) wireless cameras, and bargain digital picture frames, smart home control screens, Smart TVs (espeically off brands), and any other device with a screen or touch screen (which tend to run Android) are especially risky.
3. Install security software on phones - Android phones are especially vulnerable. We recommend Sophos Intercept X (free) - Links Below
Can be paired with a paid Sophos Home Premium Subscription for additional features.
4. Be cautious with visiting devices - when guests connect phones or devices to your WiFi, infected devices can spread malware to your network.
5. Consider a guest network for visitors' devices and IoT (Smart) devices to isolate them from your main network, AND from each other!
6. Install security software on computers and mobile devices:
AVOID KASPERSKY: The U.S. Department of Commerce banned Kaspersky software in June 2024 due to national security concerns about Russian government access to user systems. Kaspersky can no longer provide security updates to U.S. customers.[9] If you have Kaspersky installed, uninstall it and switch to an alternative.
For Computers - Sophos Home ($44.99/year for 10 devices, 30-day free trial)
The 3 year deal, is even better!
https://home.sophos.com/en-us
For Mobile Devices - Sophos Intercept X for Mobile (FREE)
or can be paired with a paid Sophos Home Premium Subscription for additional features.
Get it on Google Play Download on App Store
MORE INFORMATION COMING: This is the first in a series of notices about this threat. Over the coming days (and, likely weeks), we will send additional information about: which specific devices are at risk, why this malware is so difficult to stop, what we and other internet providers are doing to combat it, and detailed steps to protect your home network.
Our Commitment
Over the past several weeks, our team has invested hundreds of additional man-hours and significant equipment costs to combat this threat. We have deployed new intrusion detection systems, developed custom detection rules (which, as we will explain later, has been a very difficult and nearly impossible task!), and are actively monitoring our network around the clock. We are blocking over 10 million intrusion attempts daily. We are recording ~367 Million unique lines of attack logging every week, and have an automated self-defining list of 644,043 blocked IP Addresses at this very second (it's already gone up by 3 by the time I reached the end of this sentence). We continue to refine our security measures every day.
BUT WE NEED YOUR HELP: We have no way to "clean" or remove infected devices from Subscriber networks. We continue to see infected devices attempting malicious connections from subscriber homes every single day. Based on one company's data that showed nearly 25% of their customers have at least one infected device,[10] many of you likely have at least one compromised device right now. It is imperative that you work with your local IT professional, a trusted technical friend or family member, and/or your employer's IT department to ensure your systems are protected, updated, and clean from malware.
For suspected infected devices that are not computers, phones, tablets, or other well-supported devices from trusted manufacturers who provide regular firmware and software updates, the only known remediation is to completely take the device offline. Security researchers explicitly recommend: "If flagged, the infected TV box should be wiped or destroyed."[11]
We are not alone in this fight - this is an industry-wide crisis affecting internet providers worldwide. We will share more about the broader industry response in an upcoming notice.
Sources
CONTENT WARNING: Some technical articles may contain offensive language. The malware creators embedded vulgar names and lagunage into their code, which researchers reference in their reports.
[1] Krebs on Security (January 2026): "The Kimwolf Botnet is Stalking Your Local Network"
https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
[2] SecurityWeek (January 2026): "Kimwolf Android Botnet Grows Through Residential Proxy Networks"
https://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/
[3] FBI Public Service Announcement (June 2025): "Home Internet Connected Devices Facilitate Criminal Activity"
https://www.ic3.gov/PSA/2025/PSA250605
[4] Electronic Frontier Foundation (June 2025): "FBI Warning on IoT Devices: How to Tell If You Are Impacted"
https://www.eff.org/deeplinks/2025/06/fbi-warning-iot-devices-how-tell-if-you-are-impacted
[5] BleepingComputer (June 2025): "FBI: BADBOX 2.0 Android malware infects millions of consumer devices"
https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malware-infects-millions-of-consumer-devices/
[6] Fortinet: "What is IoT Security? Definition and Challenges"
https://www.fortinet.com/resources/cyberglossary/iot-security
[7] Keyfactor: "Top 10 IoT Vulnerabilities in Your Devices"
https://www.keyfactor.com/blog/top-10-iot-vulnerabilities-in-your-devices/
[8] PatentPC: "IoT Security Challenges: Device Vulnerability & Attack Stats"
https://patentpc.com/blog/iot-security-challenges-device-vulnerability-attack-stats
[9] U.S. Department of Commerce: "Commerce Department Prohibits Russian Kaspersky Software for U.S. Customers" (June 2024)
https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-u.s.-customers
[10] Infoblox: "Kimwolf Botnet Risks for Enterprises and Institutions" (January 2026)
https://www.infoblox.com/blog/threat-intelligence/kimwolf-howls-from-inside-the-enterprise/
[11] BleepingComputer: "Kimwolf Android botnet abuses residential proxies to infect internal devices" (January 2026)
https://www.bleepingcomputer.com/news/security/kimwolf-android-botnet-abuses-residential-proxies-to-infect-internal-devices/
