Kimwolf Update (1.5)
Google seized 9 million devices from Kimwolf's network. Kimwolf fought back by hacking into BadBox 2.0's 10 million devices.
Kimwolf Update - Two Steps Forward, One Step Back
Google Deals Kimwolf a Substantial Blow; Kimwolf Fights Back
ANTIVIRUS:
SUMMARY: This week brought major developments in the fight against Kimwolf. On Wednesday, Google seized control of dozens of domains belonging to IPIDEA, the massive Chinese proxy network that Kimwolf has exploited to spread. This action disconnected approximately 9 million Android devices from the proxy network. However, in a disturbing countermove, evidence has emerged that Kimwolf's operators have gained unauthorized access to the BadBox 2.0 botnet control panel, potentially giving them direct access to 10+ million additional infected devices. Meanwhile, the combined Aisuru/Kimwolf botnet continues launching record-shattering DDoS attacks.
Google Strikes Back: The IPIDEA Takedown
On Wednesday, January 29th, Google's Threat Intelligence Group (GTIG), working with partners including Spur, Lumen's Black Lotus Labs, and Cloudflare, delivered a major blow to the infrastructure that has powered Kimwolf's explosive growth.
Using a federal court order, Google seized control of dozens of domains belonging to IPIDEA, a China-based company operating what researchers believe is the world's largest residential proxy network. IPIDEA's proxy infrastructure has been the primary vehicle Kimwolf has used to tunnel into home networks and infect vulnerable devices.
WHAT GOOGLE ACCOMPLISHED:
- Seized control of dozens of IPIDEA command-and-control domains
- Ejected approximately 9 million Android devices from IPIDEA's proxy network
- Removed over 600 malicious apps from the Android ecosystem
- Updated Google Play Protect to automatically block IPIDEA-related software
- Shared intelligence with law enforcement and security researchers worldwide
The scale of malicious activity flowing through IPIDEA was staggering. In just one seven-day period in January 2026, Google observed more than 550 different threat groups using IPIDEA's proxy network to hide their activities, including state-sponsored hackers from China, North Korea, Iran, and Russia.
The Bad News: Kimwolf's Countermove
Unfortunately, the criminals behind Kimwolf appear to have had a backup plan all along.
Earlier this month, security researchers obtained evidence that the Kimwolf operators, known by the nicknames "Dort" and "Snow," had gained unauthorized access to the control panel for BadBox 2.0, a separate massive botnet comprising over 10 million infected Android TV devices and other consumer electronics.
WHY THIS MATTERS: With access to BadBox 2.0's infrastructure, the Kimwolf operators can potentially load their malware directly onto millions of devices, completely bypassing the proxy network vulnerabilities that Google just shut down. It's like plugging a fire hose directly into the water main instead of going through the garden spigot.
BadBox 2.0 represents a different type of threat than IPIDEA. While IPIDEA enrolled devices through deceptive apps and SDKs, BadBox devices typically ship from the factory already infected. These are the cheap Android TV boxes, digital picture frames, and streaming devices that we've warned about in previous notices.
Kimwolf Breaks Attack Records: How FAST is 31.4 Terabits Per Second?
In December 2025, the Kimwolf botnet launched an attack that peaked at 31.4 terabits per second with 200 million requests per second. This is THE LARGEST DDOS ATTACK EVER RECORDED. It broke the previous record of 29.7 Tbps set just months earlier, also by Kimwolf.
These numbers are hard to comprehend, so let's put them in perspective:
WHAT 31.4 TERABITS PER SECOND LOOKS LIKE:
Floppy Disks: 2,725,000,000 floppy disks per second
Cassette Tapes: 3,925,000,000 cassette tapes per second
CDs: 5,600 CDs per second
Blu-ray Movies: 100 complete 4K Blu-ray movies per second
Library of Congress: Could transfer the entire Library of Congress (~17,000,000 books) in about 4 seconds
Netflix Streams: Equivalent to 1,250,000 simultaneous 4K Netflix streams
Books: Could transfer 8,000,000 average-length books every single second
Home Internet: 314,000 times faster than a typical home internet connection
The attack was so massive that it caused collateral internet disruption across the United States, even affecting networks that weren't the intended targets. When botnet traffic of this magnitude flows through internet service providers, it's like trying to push a tsunami through a garden hose. Everyone downstream gets flooded.
THE SCARY PART: The 31.4 Tbps attack was launched with an estimated 2 to 4 million devices. If the Kimwolf operators now have access to BadBox 2.0's 10+ million devices, they could potentially triple or quadruple that firepower. We could be looking at attacks exceeding 100 terabits per second - enough to overwhelm almost any target on the internet.
What This Means For You
Google's action against IPIDEA is genuinely good news, but it's not a complete victory. Here's what you need to know:
The Good: Millions of devices have been cut off from the proxy network that Kimwolf was exploiting. If you had a device unknowingly enrolled in IPIDEA's network, Google Play Protect should now block the malicious software. The proxy "highway" that Kimwolf used to spread has been partially demolished.
The Bad: Devices that are already infected with Kimwolf remain infected. The botnet operators have shown they can adapt quickly and may have alternative methods to continue spreading, including through BadBox 2.0. The cheap Android TV boxes and streaming devices that ship infected from the factory are still out there.
The Ugly: Security researchers found IPIDEA proxies inside hundreds of government networks, utilities, healthcare organizations, and banks. This suggests that infected personal devices brought to work have been compromising corporate networks, exactly as we described in our last notice.
What You Should Do
ACTION ITEMS:
- If you own a cheap Android TV box or streaming device, especially brands like T95, X96, MX10, or "Superbox," unplug it and throw it away immediately
- Be extremely suspicious of digital picture frames, smart displays, or any device with a screen that isn't clearly running Windows, macOS, or iOS. Here's a sobering fact: Android accounts for nearly 50% of all smart TV operating systems, and when you include budget devices like digital picture frames, car infotainment systems, smart displays, and kiosks, that number approaches 100%. If it has a screen, connects to WiFi, and was cheap, it's almost certainly running Android, and it's almost certainly a target.
- Review apps on your phone and tablet and remove any free apps from unknown publishers, especially VPNs and "bandwidth monetization" apps
- Keep Google Play Protect enabled on all Android devices
- Don't bring questionable devices to work - if your personal phone or tablet has been compromised, it can expose your employer's network
Looking Ahead
This fight is far from over. Google has won an important battle, but the war continues. The botnet operators have shown remarkable resilience, and with potential access to BadBox 2.0's massive infrastructure, they have options for rebuilding.
We'll continue monitoring the situation and will send updates as significant developments occur. Our next regular notice will cover which specific devices are most at risk and what to look for when purchasing new electronics.
STAY INFORMED: This is a rapidly evolving situation. Bookmark our security page at security.grandavebb.com for the latest updates, and don't hesitate to contact us if you're experiencing unusual internet behavior or have questions about your devices.
Compiled by Grand Avenue Broadband Security Operations
Published: January 29, 2026 7:00 PM MST
