ISP Sinkholes Kimwolf Servers Amid Eruption of Bot Traffic

Lumen Spotted More Than 500 Command and Control Servers Since October Greg Sirico • January 16, 2026

A major U.S. internet service provider said it's blocked incoming traffic to more than 550 command and control servers botnets identified over the past four months that administer the Kimwolf and Aisuru botnets.

See Also: The Healthcare CISO's Guide to Medical IoT Security

Kimwolf has grown to encompass at least 2 million devices through a novel technique that begins with hacking already compromised Android TV top boxes, research from cybersecurity startup Synthient disclosed earlier this year.

Kimwolf operators scan for vulnerable Android operating system devices that other bad actors have already preloaded with malware converting the devices into residential proxies. Hackers value residential proxies since they can route malicious activity to look like ordinary internet traffic originating from a suburban TV. The flaw operators scan for an exposed Android ...