Who Benefited from the Aisuru and Kimwolf Botnets?

The Shadowy World of Residential Proxies and Botnets

In the ever-evolving landscape of cyber threats, a complex web of residential proxies and botnets has emerged, posing significant risks to individuals, businesses, and the internet as a whole. At the center of this web lies the Kimwolf botnet, a destructive force that has infected over two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. But who benefits from this malicious activity, and what are the implications for the internet's security?

The Players: Resi Rack, Plainproxies, and Maskify

Public records show that the Internet address range flagged by XLab, a Chinese security firm, is assigned to Lehi, Utah-based Resi Rack LLC. Resi Rack's website bills the company as a "Premium Game Server Hosting Provider," while its ads on the Internet moneymaking forum BlackHatWorld refer to it as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company." Resi Rack's co-founder, Cassidy Hales, told KrebsOnSecurity that his company received a notification on December 10 about Kimwolf using their network, which they took care of immediately.

However, Resi Rack's involvement in the Kimwolf botnet goes beyond a simple notification. Synthient, a startup that tracks proxy services, found that at least seven static Resi Rack IP addresses were connected to Kimwolf proxy infrastructure between October and December 2025. This suggests that Resi Rack may have been actively involved in the sale of Kimwolf proxies, which were used to deploy programs that turned infected systems into Internet traffic relays for multiple residential proxy services.

One of these proxy services is Plainproxies, which distributes a software development kit (SDK) called ByteConnect. ByteConnect specializes in "monetizing apps ethically and free," while Plainproxies advertises the ability to provide content scraping companies with "unlimited" proxy pools. However, Synthient found that upon connecting to ByteConnect's SDK, they observed a mass influx of credential-stuffing attacks targeting email servers and popular online websites.

The Botmasters: Dort, Snow, and Forky

The stated owner of the resi[.]to Discord server, which was used to sell Kimwolf proxies, went by the abbreviated username "D." This appears to be short for the hacker handle "Dort," a name that was invoked frequently throughout these Discord chats. Forky, a Brazilian man who acknowledged being involved in the marketing of the Aisuru botnet at its inception in late 2024, claims that Dort is a resident of Canada and one of at least two individuals currently in control of the Aisuru/Kimwolf botnet.

The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname "Snow." On January 2ทธ, just hours after our story on Kimwolf was published, the historical chat records on resi[.]to were erased without warning and replaced by a profanity-laced message for Synthient's founder. Minutes after that, the entire server disappeared.

The Proxy Providers: Maskify and 3XK Tech

Synthient's January 2 report said another proxy provider heavily involved in the sale of Kimwolf proxies was Maskify, which currently advertises on multiple cybercrime forums that it has more than six million residential Internet addresses for rent. Maskify prices its service at a rate of 30 cents per gigabyte of data relayed through their proxies, which is far cheaper than any other proxy provider in business today.

Another proxy provider, 3XK Tech GmbH, is operated by Friedrich Kraft, the CEO of Plainproxies. In July 2025, Cloudflare reported that 3XK Tech had become the Internet's largest source of application-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligence found that Internet addresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks.

The Implications: A Shadowy World of Residential Proxies and Botnets

The Kimwolf botnet and its associated proxy providers pose significant risks to individuals, businesses, and the internet as a whole. The use of residential proxies to deploy malware and conduct DDoS attacks is a growing threat that must be addressed. The involvement of companies like Resi Rack and Plainproxies in the sale of Kimwolf proxies raises questions about their role in facilitating malicious activity.

The botmasters behind the Kimwolf botnet, including Dort and Snow, are a shadowy group that operates in the dark corners of the internet. Their use of Discord servers and other online platforms to sell Kimwolf proxies and coordinate their activities highlights the need for greater regulation and oversight of these platforms.

The proxy providers, including Maskify and 3XK Tech, are also a concern. Their use of cheap and easily accessible proxy services to conduct malicious activity is a growing threat that must be addressed.

In conclusion, the Kimwolf botnet and its associated proxy providers pose significant risks to individuals, businesses, and the internet as a whole. The use of residential proxies to deploy malware and conduct DDoS attacks is a growing threat that must be addressed. The involvement of companies like Resi Rack and Plainproxies in the sale of Kimwolf proxies raises questions about their role in facilitating malicious activity. The botmasters behind the Kimwolf botnet, including Dort and Snow, are a shadowy group that operates in the dark corners of the internet. Their use of Discord servers and other online platforms to sell Kimwolf proxies and coordinate their activities highlights the need for greater regulation and oversight of these platforms.

Source: https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/