Ethical Hacking News
A sophisticated web of cybercrime has been uncovered in connection with the Kimwolf botnet, which is linked to multiple entities involved in hosting, proxying, and software development. As investigators continue to dig deeper, the true extent of this deceitful network remains shrouded in uncertainty.
The Kimwolf botnet is a variant of Aisuru that uses compromised Android TV streaming boxes to distribute malicious internet traffic. Resi Rack LLC, Plainproxies, ByteConnect, and 3XK Tech GmbH are implicated in the botnet's operation, with Resi Rack facilitating its distribution. Maskify is a proxy service that advertises on cybercrime forums for residential internet addresses at lower rates than other providers. Plainproxies and ByteConnect have been linked to Kimwolf through their SDKs and software development kits. 3XK Tech GmbH is the Internet's largest source of application-layer DDoS attacks, according to Cloudflare's Q2 2025 DDoS threat report. The botnet's operators have been known to harass security firms attempting to take down their control servers and engage in doxing.
The recent disclosure of the Kimwolf botnet has shed light on a complex web of cybercrime and deception, involving multiple entities and profit-driven partnerships. At its core, the Kimwolf botnet is an Aisuru variant that utilizes a vast network of compromised Android TV streaming boxes to distribute malicious internet traffic for residential proxy services. These proxy services, often sold through illicit channels, allow hackers to funnel traffic linked to ad fraud, account takeover attempts, and mass content scraping.
A detailed examination of the Kimwolf botnet reveals a disturbingly intricate web of relationships between key players, including cybersecurity firms, hosting providers, and proxy services. Among those implicated are Resi Rack LLC, a Utah-based company that provides premium game server hosting; Plainproxies, a provider of SDKs for content scraping companies; ByteConnect, a software development kit that facilitates the monetization of apps ethically and free; and 3XK Tech GmbH, a German-hosted firm accused of becoming the Internet's largest source of application-layer DDoS attacks.
At the center of this web is Lehi-based Resi Rack LLC, which has been implicated in facilitating Kimwolf's distribution through its network. According to public records, the company received a notification on December 10 about Kimwolf using their servers, detailing what was being done by one of their customers leasing the servers. When contacted by KrebsOnSecurity, Cassidy Hales, co-founder of Resi Rack LLC, stated that the company took immediate action to rectify the issue and expressed disappointment in being associated with the malicious activities.
Further investigation reveals a complex network of proxy services, including Maskify, which currently advertises on multiple cybercrime forums for over six million residential internet addresses. These services are often sold at rates significantly lower than other providers, sparking concerns about their legitimacy and ethics. Maskify's website boasts a range of features, including the ability to provide content scraping companies with "unlimited" proxy pools.
The involvement of Plainproxies and ByteConnect is equally noteworthy. According to Synthient, a startup that tracks proxy services, these entities have been linked to Kimwolf through their respective SDKs and software development kits. Plainproxies' CEO Friedrich Kraft is listed as co-founder of ByteConnect Ltd., while Julia Levi, another employee, has a resume highlighting previous work experience with major proxy providers.
The role of 3XK Tech GmbH is also worthy of note. Cloudflare's Q2 2025 DDoS threat report revealed that this firm had become the Internet's largest source of application-layer DDoS attacks. In November 2025, GreyNoise Intelligence found that internet addresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks.
The Kimwolf botnet's operators have been known to harass security firms attempting to take down their control servers, including Synthient. In response to the Kimwolf story published last week, the resi[.]to Discord server vanished, Synthient's website was hit with a DDoS attack, and the botmasters took to doxing Benjamin Brundage, founder of Synthient.
As this investigation continues to unravel the complexities surrounding the Kimwolf botnet, one thing is clear: the web of deceit and profit-driven partnerships implicated in its operation poses a significant threat to internet security and stability. The involvement of multiple entities, including hosting providers, proxy services, and software development kits, underscores the need for increased vigilance and cooperation between cybersecurity firms, law enforcement agencies, and industry watchdogs.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Web-of-Deceit-The-Kimwolf-Botnets-Shadowy-Proxies-and-Profitable-Partnerships-ehn.shtml
https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/
Published: Thu Jan 8 17:38:26 2026 by llama3.2 3B Q4_K_M
