We've known that social engineering would get AI wings. Now, at the beginning of 2026, we are learning just how high those wings can soar.
The post Cyber Insights 2026: Social Engineering appeared first on SecurityWeek.
Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.
January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.
Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”
Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.
“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.
Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.
Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.
“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”
According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”
“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”
Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.
Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.
“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”
Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.
As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.
Nel 2025 sono stati localizzati 15759 terremoti in Italia e nelle zone limitrofe. I ricercatori e tecnici dell’INGV, presenti H24 nelle Sale Operative, hanno analizzato e localizzato in media poco più di 43 eventi sismici al giorno, circa uno ogni 33 minuti. Questo dato indica una lieve diminuzione della media giornaliera rispetto a quanto registrato nel 2024.
Come si vede dalla mappa, anche in questo ultimo anno tutte le regioni italiane sono state interessate da terremoti, in misura più o meno significativa. Nel 2025 il terremoto più forte registrato in Italia è avvenuto nel Mar Adriatico, in area garganica, una decina di chilometri al largo della costa della provincia di Foggia. Questo evento, che ha avuto magnitudo Mw 4.8, fa parte di una sequenza sismica che si è attivata dal mese di marzo 2025 nell’area a nord del Promontorio del Gargano, vicino al Lago di Lesina.
Rispetto agli anni precedenti nel 2025 non ci sono stati eventi sismici di magnitudo uguale o superiore a 5.0, neanche nelle aree limitrofe al di fuori del territorio nazionale. Sono stati numerosi invece i terremoti di magnitudo compresa tra 4.0 e 4.9: 21 eventi in totale, di cui 16 avvenuti sul territorio italiano e nei mari circostanti e i restanti 5 tra Croazia e Albania. Dei 21 totali, 10 sono stati localizzati in mare o lungo le coste; 11 sulla terraferma.
Il numero totale di terremoti localizzati in Italia nel 2025 è di poco inferiore a quello del 2024 (la differenza è di poco più di 1000 terremoti in meno del 2024) e si mantiene più o meno stabile tra i 16mila e i 17mila terremoti annui dal 2019, con un calo importante rispetto agli anni 2016-2017 e 2018. L’aumento del triennio citato è stato causato dalla sequenza sismica in Italia centrale, iniziata il 24 agosto 2016 e protrattasi a ritmi sostenuti per oltre due anni. Come già osservato, va notato che negli anni seguenti al 2018, il numero di eventi sismici localizzati in quest’area è stato comunque importante, e lo è stato anche nel 2025, rappresentando ancora un valore decisamente elevato rispetto al totale della sismicità in Italia: circa il 30% del totale degli eventi localizzati. Nel corso degli anni, tuttavia, il numero e soprattutto il valore di magnitudo dei terremoti di questa zona sono diminuiti sempre di più.
Nel grafico sottostante è visualizzato il numero annuale di terremoti localizzati grazie alle stazioni della Rete Sismica Nazionale Integrata (RSNI) dal 2012 al 2025.
Nel grafico, la colonna blu rappresenta il numero totale annuale di eventi sismici localizzati (di tutte le magnitudo), che ha raggiunto valori superiori a 40mila durante il 2016 e il 2017 a causa della sequenza in Italia centrale. La colonna rossa indica invece il numero annuale di terremoti di magnitudo pari o superiore a 2.0 – che in media corrisponde al 15-20% di tutti i terremoti localizzati – ma che nel 2025 è all’incirca poco più dell’11% del totale, con una lieve decrescita rispetto al 2024.
Nella seguente tabella sono riportati i terremoti di magnitudo pari o superiore a 4.0 e localizzati sul territorio nazionale, in mare o lungo le coste. Nella colonna relativa alla Data e ora italiana è presente il collegamento all’articolo sul terremoto pubblicato sul blog-magazine INGVterremoti.com, quando è disponibile.
| Data e ora italiana | Magnitudo | Epicentro | Profondità |
|---|---|---|---|
| 07/02/2025, 16:19:12 | Mw 4.7 | Isole Eolie (Messina) | 6,9 km |
| 26/02/2025, 19:11:21 | Mw 4.4 | Tirreno Meridionale (MARE) | 184 km |
| 13/03/2025, 01:25:02 | Md 4.6 | Campi Flegrei | 2,4 km |
| 14/03/2025, 20:37:14 | Mw 4.8 | Costa Garganica (Foggia) | 8 km |
| 15/03/2025, 21:45:56 | Mw 4.1 | Isole Egadi (Trapani) | 5,7 km |
| 18/03/2025, 10:01:25 | Mw 4.2 | 4 km NE Potenza (PZ) | 13,1 km |
| 16/04/2025, 03:26:08 | Mw 4.4 | Mar Ionio Meridionale (MARE) | 48,5 km |
| 13/05/2025, 12:07:44 | Md 4.4 | Campi Flegrei | 2,6 km |
| 30/06/2025, 01:25:02 | Md 4.6 | Campi Flegrei | 3,9 km |
| 18/07/2025, 09:14:22 | Md 4.0 | Campi Flegrei | 2,5 km |
| 26/08/2025, 06:07:05 | Mw 4.7 | Tirreno Meridionale (MARE) | 9,4 km |
| 01/09/2025, 04:55:45 | Md 4.0 | Campi Flegrei | 2,3 km |
| 06/10/2025, 12:13:59 | Mw 4.2 | Costa Marchigiana Pesarese (PU) | 9,4 km |
| 25/10/2025, 21:49:18 | Mw 4.0 | 1 km N Montefredane (AV) | 14,9 km |
| 15/12/2025, 10:11:22 | ML 4.0 | Mar Ionio Meridionale (MARE) | 31,6 km |
In questa tabella non sono presenti altri eventi, di magnitudo inferiore a 4.0, che però hanno avuto risentimenti rilevanti sul territorio e che possono essere considerati eventi isolati, cioè non legati a sequenze sismiche significative.
Anche nel 2025 sono avvenute numerose sequenze sismiche più o meno lunghe, alcune delle quali già attive negli anni precedenti, come la sequenza in Italia centrale iniziata nell’agosto 2016 e gli sciami sismici nell’area Flegrea. Le sequenze sismiche del 2025 sono state generalmente di breve e media durata e con valori di magnitudo di solito non elevati (il massimo è stato Mw 4.8 al largo della costa pugliese settentrionale).
Di seguito vengono brevemente descritte le principali sequenze che hanno caratterizzato il 2025.
Nel 2025 l’attività sismica nell’area della sequenza di Amatrice-Visso-Norcia (centro Italia), iniziata il 24 agosto del 2016 e proseguita negli anni successivi, si è mantenuta costante nel numero complessivo di scosse, soprattutto con eventi di magnitudo inferiore a 2.0 e con pochissimi terremoti di magnitudo maggiore di 3. Ciò nonostante, questa sequenza contribuisce ancora in maniera significativa alla sismicità in Italia: i suoi oltre cinque mila terremoti rappresentano una importante percentuale che supera il 30% di tutti i terremoti registrati dalle stazioni della Rete Sismica Nazionale Integrata sul territorio nazionale nel 2025.
Come si vede anche dalla mappa sono pochissimi gli eventi di magnitudo uguale o maggiore di 3 localizzati in quest’area e nelle zone adiacenti nel 2025: tra questi, due terremoti, entrambi di magnitudo ML 3.5, avvenuti il 21 marzo presso Gagliole (provincia di Macerata) e il 23 aprile a Spoleto (provincia di Perugia).
Nel 2025, in particolare nel mese di febbraio, nell’area dei Campi Flegrei (Napoli) sono stati registrati dalle stazioni della Rete di Monitoraggio dell’Osservatorio Vesuviano dell’INGV diversi sciami sismici, con eventi anche risentiti dalla popolazione nella zona di Pozzuoli e nelle aree limitrofe fino alla città di Napoli. E’ stato l’anno in cui sono stati registrati i terremoti con le più elevate magnitudo nell’area legati alla crisi bradismica in atto: due eventi di magnitudo Md 4.6 avvenuti il 13 marzo (vicino a Bagnoli) e il 30 giugno (in mezzo al golfo). Altri 3 i terremoti di magnitudo uguale o superiore a magnitudo 4 avvenuti nel 2025: il 13 maggio con Md 4.4, il 18 luglio e il 01 settembre di magnitudo Md 4.0. Ventotto gli eventi che hanno avuto una magnitudo compresa tra 3.0 e 3.9. In totale nell’area sono stati localizzati oltre 1000 terremoti di magnitudo pari o superiore a 1.0.
Tutte le localizzazioni degli eventi sismici nell’area dei Campi Flegrei, incluse quelle di magnitudo inferiore a 1.0, sono disponibili sul sito web dell’INGV-Osservatorio Vesuviano (GOSSIP – Database Sismologico Pubblico INGV-Osservatorio Vesuviano, https://doi.org/10.13127/gossip) e sono descritti sui canali web e social INGVvulcani.
Sequenza sismica lungo la costa garganica (Foggia)
Dal mese di marzo 2025 le stazioni della Rete Sismica Nazionale Integrata hanno registrato una serie di eventi sismici localizzati nel Mar Adriatico lungo la costa garganica settentrionale, nelle vicinanze del Lago di Lesina (provincia di Foggia). In quest’area il 14 marzo è avvenuto l’evento di magnitudo maggiore (Mw 4.8, ML 4.7) della sequenza; questo terremoto è anche il più forte del 2025 avvenuto in Italia. Il terremoto ha avuto risentimenti molto diffusi non solo nelle aree costiere e interne della Puglia, ma anche nelle regioni vicine: Molise, Campania e Basilicata.
In totale, nel 2025, sono stati localizzati circa 250 eventi in quest’area del Mar Adriatico, la maggior parte nei mesi di marzo e aprile, più della metà di magnitudo inferiore a 2; in particolare, sei gli eventi compresi tra 3.0 e 3.9.
Nell’area del Mar Tirreno meridionale l’attività sismica è sempre molto frequente e spesso caratterizzata da terremoti anche molto profondi a causa del processo geologico noto come “subduzione”. Anche nel 2025 sono stati numerosi i terremoti localizzati in quest’area, tanti di magnitudo superiore a 3 e alcuni anche di magnitudo superiore a 4: ad esempio l’evento del 24 febbraio di magnitudo Mw 4.4, localizzato ad una profondità di oltre 180 km.
Nel 2025 nel Mar Tirreno meridionale sono stati localizzati anche eventi sismici di magnitudo superiore a 4 con ipocentri poco profondi. Ad esempio, i due terremoti avvenuti al largo delle Isole Egadi del 15 marzo di magnitudo Mw 4.1 e del 26 agosto di magnitudo Mw 4.7, quest’ultimo moderatamente risentito in alcune località delle provincie di Trapani e Palermo lungo la costa della Sicilia occidentale.
Da ricordare anche la sequenza sismica avvenuta nel mese di febbraio nei pressi dell’arcipelago delle Isole Eolie con oltre 50 eventi, il più forte avvenuto il 7 febbraio di magnitudo Mw 4.7 (Ml 4.8), ad una profondità di circa 17 km, risentito lungo la costa settentrionale della Sicilia, in Sicilia orientale e in Calabria meridionale.
Tra il 24 e il 25 ottobre in un’area a nord della città di Avellino sono stati localizzati una decina di eventi sismici tra i comuni di Grottolella e Montefredane. Due sono stati gli eventi di magnitudo maggiore in questa sequenza: quello avvenuto il 24 ottobre alle ore 14:40 locali, di magnitudo Mw 3.7 (ML 3.6) e quello del giorno successivo, 25 ottobre, di magnitudo Mw 4.0 (ML 4.0) alle ore 21:49 italiane. Le profondità di questi eventi sono collocate tra i 14 e i 16 km, quindi leggermente più profondi rispetto ai terremoti localizzati in Appennino. Questi due eventi hanno avuto risentimenti molto ampi, non solo nelle province di Avellino e Benevento, ma anche nel salernitano e in tutta l’area vesuviana e in buona parte della provincia di Napoli.
Questa sequenza è stata generata da strutture sismogenetiche localizzate 30-40 km più a sud di quelle che hanno causato il tragico terremoto dell’Irpinia e Basilicata del 23 novembre 1980.
La sismicità del 2025 viene mostrata in una mappa interattiva. In questa applicazione sono rappresentati i 15759 terremoti classificati e tematizzati in base alla loro magnitudo. Ogni evento può essere interrogato per visualizzare i relativi parametri ipocentrali, la pagina informativa di evento dal portale terremoti.ingv.it e, per quelli più forti, la rispettiva mappa di scuotimento dal sito shakemap.ingv.it/.
Inoltre è stato realizzato anche uno slider che permette di scorrere gli eventi sismici settimana per settimana, sia in modo automatico (modalità di default) sia attraverso i comandi manuali (PLAY, PAUSA, INDIETRO e AVANTI). L’applicazione web dello slider è visualizzabile anche sui dispositivi mobili da questo link.
Apri la mappa interattiva dei terremoti del 2025
A cura di Maurizio Pignone e INGVterremoti TEAM
Ricordiamo che i dati di tutti gli eventi sismici che avvengono in Italia vengono calcolati e rivisti dal personale in turno H24 nelle Sale Operative INGV di Roma, Napoli e Catania e pubblicati pochi minuti dopo ogni terremoto sul portale dei dati in tempo reale del Dipartimento TERREMOTI dell’INGV (http://terremoti.ingv.it/). Per le Sale Operative di Napoli e Catania su http://terremoti.ingv.it/ sono presenti i terremoti con magnitudo pari o superiore a 1.0. I dati si riferiscono a un’area rettangolare che ha i seguenti limiti: Latitudine tra 35°N e 49°N e Longitudine tra 5°E e 20°E.
Licenza
Quest’opera è distribuita con Licenza Creative Commons Attribuzione – Non opere derivate 4.0 Internazionale.
The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and it’s time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.
The security company Synthient currently sees more than 2 million infected Kimwolf devices distributed globally but with concentrations in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Synthient found that two-thirds of the Kimwolf infections are Android TV boxes with no security or authentication built in.
The past few months have witnessed the explosive growth of a new botnet dubbed Kimwolf, which experts say has infected more than 2 million devices globally. The Kimwolf malware forces compromised systems to relay malicious and abusive Internet traffic — such as ad fraud, account takeover attempts and mass content scraping — and participate in crippling distributed denial-of-service (DDoS) attacks capable of knocking nearly any website offline for days at a time.
More important than Kimwolf’s staggering size, however, is the diabolical method it uses to spread so quickly: By effectively tunneling back through various “residential proxy” networks and into the local networks of the proxy endpoints, and by further infecting devices that are hidden behind the assumed protection of the user’s firewall and Internet router.
Residential proxy networks are sold as a way for customers to anonymize and localize their Web traffic to a specific region, and the biggest of these services allow customers to route their traffic through devices in virtually any country or city around the globe.
The malware that turns an end-user’s Internet connection into a proxy node is often bundled with dodgy mobile apps and games. These residential proxy programs also are commonly installed via unofficial Android TV boxes sold by third-party merchants on popular e-commerce sites like Amazon, BestBuy, Newegg, and Walmart.
These TV boxes range in price from $40 to $400, are marketed under a dizzying range of no-name brands and model numbers, and frequently are advertised as a way to stream certain types of subscription video content for free. But there’s a hidden cost to this transaction: As we’ll explore in a moment, these TV boxes make up a considerable chunk of the estimated two million systems currently infected with Kimwolf.
Some of the unsanctioned Android TV boxes that come with residential proxy malware pre-installed. Image: Synthient.
Kimwolf also is quite good at infecting a range of Internet-connected digital photo frames that likewise are abundant at major e-commerce websites. In November 2025, researchers from Quokka published a report (PDF) detailing serious security issues in Android-based digital picture frames running the Uhale app — including Amazon’s bestselling digital frame as of March 2025.
There are two major security problems with these photo frames and unofficial Android TV boxes. The first is that a considerable percentage of them come with malware pre-installed, or else require the user to download an unofficial Android App Store and malware in order to use the device for its stated purpose (video content piracy). The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.
The second big security nightmare with these photo frames and unsanctioned Android TV boxes is that they rely on a handful of Internet-connected microcomputer boards that have no discernible security or authentication requirements built-in. In other words, if you are on the same network as one or more of these devices, you can likely compromise them simultaneously by issuing a single command across the network.
The combination of these two security realities came to the fore in October 2025, when an undergraduate computer science student at the Rochester Institute of Technology began closely tracking Kimwolf’s growth, and interacting directly with its apparent creators on a daily basis.
Benjamin Brundage is the 22-year-old founder of the security firm Synthient, a startup that helps companies detect proxy networks and learn how those networks are being abused. Conducting much of his research into Kimwolf while studying for final exams, Brundage told KrebsOnSecurity in late October 2025 he suspected Kimwolf was a new Android-based variant of Aisuru, a botnet that was incorrectly blamed for a number of record-smashing DDoS attacks last fall.
Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services. The crux of the weakness, he explained, was that these proxy services weren’t doing enough to prevent their customers from forwarding requests to internal servers of the individual proxy endpoints.
Most proxy services take basic steps to prevent their paying customers from “going upstream” into the local network of proxy endpoints, by explicitly denying requests for local addresses specified in RFC-1918, including the well-known Network Address Translation (NAT) ranges 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12. These ranges allow multiple devices in a private network to access the Internet using a single public IP address, and if you run any kind of home or office network, your internal address space operates within one or more of these NAT ranges.
However, Brundage discovered that the people operating Kimwolf had figured out how to talk directly to devices on the internal networks of millions of residential proxy endpoints, simply by changing their Domain Name System (DNS) settings to match those in the RFC-1918 address ranges.
“It is possible to circumvent existing domain restrictions by using DNS records that point to 192.168.0.1 or 0.0.0.0,” Brundage wrote in a first-of-its-kind security advisory sent to nearly a dozen residential proxy providers in mid-December 2025. “This grants an attacker the ability to send carefully crafted requests to the current device or a device on the local network. This is actively being exploited, with attackers leveraging this functionality to drop malware.”
As with the digital photo frames mentioned above, many of these residential proxy services run solely on mobile devices that are running some game, VPN or other app with a hidden component that turns the user’s mobile phone into a residential proxy — often without any meaningful consent.
In a report published today, Synthient said key actors involved in Kimwolf were observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality.
“Synthient expects to observe a growing interest among threat actors in gaining unrestricted access to proxy networks to infect devices, obtain network access, or access sensitive information,” the report observed. “Kimwolf highlights the risks posed by unsecured proxy networks and their viability as an attack vector.”
After purchasing a number of unofficial Android TV box models that were most heavily represented in the Kimwolf botnet, Brundage further discovered the proxy service vulnerability was only part of the reason for Kimwolf’s rapid rise: He also found virtually all of the devices he tested were shipped from the factory with a powerful feature called Android Debug Bridge (ADB) mode enabled by default.
Many of the unofficial Android TV boxes infected by Kimwolf include the ominous disclaimer: “Made in China. Overseas use only.” Image: Synthient.
ADB is a diagnostic tool intended for use solely during the manufacturing and testing processes, because it allows the devices to be remotely configured and even updated with new (and potentially malicious) firmware. However, shipping these devices with ADB turned on creates a security nightmare because in this state they constantly listen for and accept unauthenticated connection requests.
For example, opening a command prompt and typing “adb connect” along with a vulnerable device’s (local) IP address followed immediately by “:5555” will very quickly offer unrestricted “super user” administrative access.
Brundage said by early December, he’d identified a one-to-one overlap between new Kimwolf infections and proxy IP addresses offered for rent by China-based IPIDEA, currently the world’s largest residential proxy network by all accounts.
“Kimwolf has almost doubled in size this past week, just by exploiting IPIDEA’s proxy pool,” Brundage told KrebsOnSecurity in early December as he was preparing to notify IPIDEA and 10 other proxy providers about his research.
Brundage said Synthient first confirmed on December 1, 2025 that the Kimwolf botnet operators were tunneling back through IPIDEA’s proxy network and into the local networks of systems running IPIDEA’s proxy software. The attackers dropped the malware payload by directing infected systems to visit a specific Internet address and to call out the pass phrase “krebsfiveheadindustries” in order to unlock the malicious download.
On December 30, Synthient said it was tracking roughly 2 million IPIDEA addresses exploited by Kimwolf in the previous week. Brundage said he has witnessed Kimwolf rebuilding itself after one recent takedown effort targeting its control servers — from almost nothing to two million infected systems just by tunneling through proxy endpoints on IPIDEA for a couple of days.
Brundage said IPIDEA has a seemingly inexhaustible supply of new proxies, advertising access to more than 100 million residential proxy endpoints around the globe in the past week alone. Analyzing the exposed devices that were part of IPIDEA’s proxy pool, Synthient said it found more than two-thirds were Android devices that could be compromised with no authentication needed.
After charting a tight overlap in Kimwolf-infected IP addresses and those sold by IPIDEA, Brundage was eager to make his findings public: The vulnerability had clearly been exploited for several months, although it appeared that only a handful of cybercrime actors were aware of the capability. But he also knew that going public without giving vulnerable proxy providers an opportunity to understand and patch it would only lead to more mass abuse of these services by additional cybercriminal groups.
On December 17, Brundage sent a security notification to all 11 of the apparently affected proxy providers, hoping to give each at least a few weeks to acknowledge and address the core problems identified in his report before he went public. Many proxy providers who received the notification were resellers of IPIDEA that white-labeled the company’s service.
KrebsOnSecurity first sought comment from IPIDEA in October 2025, in reporting on a story about how the proxy network appeared to have benefitted from the rise of the Aisuru botnet, whose administrators appeared to shift from using the botnet primarily for DDoS attacks to simply installing IPIDEA’s proxy program, among others.
On December 25, KrebsOnSecurity received an email from an IPIDEA employee identified only as “Oliver,” who said allegations that IPIDEA had benefitted from Aisuru’s rise were baseless.
“After comprehensively verifying IP traceability records and supplier cooperation agreements, we found no association between any of our IP resources and the Aisuru botnet, nor have we received any notifications from authoritative institutions regarding our IPs being involved in malicious activities,” Oliver wrote. “In addition, for external cooperation, we implement a three-level review mechanism for suppliers, covering qualification verification, resource legality authentication and continuous dynamic monitoring, to ensure no compliance risks throughout the entire cooperation process.”
“IPIDEA firmly opposes all forms of unfair competition and malicious smearing in the industry, always participates in market competition with compliant operation and honest cooperation, and also calls on the entire industry to jointly abandon irregular and unethical behaviors and build a clean and fair market ecosystem,” Oliver continued.
Meanwhile, the same day that Oliver’s email arrived, Brundage shared a response he’d just received from IPIDEA’s security officer, who identified himself only by the first name Byron. The security officer said IPIDEA had made a number of important security changes to its residential proxy service to address the vulnerability identified in Brundage’s report.
“By design, the proxy service does not allow access to any internal or local address space,” Byron explained. “This issue was traced to a legacy module used solely for testing and debugging purposes, which did not fully inherit the internal network access restrictions. Under specific conditions, this module could be abused to reach internal resources. The affected paths have now been fully blocked and the module has been taken offline.”
Byron told Brundage IPIDEA also instituted multiple mitigations for blocking DNS resolution to internal (NAT) IP ranges, and that it was now blocking proxy endpoints from forwarding traffic on “high-risk” ports “to prevent abuse of the service for scanning, lateral movement, or access to internal services.”
An excerpt from an email sent by IPIDEA’s security officer in response to Brundage’s vulnerability notification. Click to enlarge.
Brundage said IPIDEA appears to have successfully patched the vulnerabilities he identified. He also noted he never observed the Kimwolf actors targeting proxy services other than IPIDEA, which has not responded to requests for comment.
Riley Kilmer is founder of Spur.us, a technology firm that helps companies identify and filter out proxy traffic. Kilmer said Spur has tested Brundage’s findings and confirmed that IPIDEA and all of its affiliate resellers indeed allowed full and unfiltered access to the local LAN.
Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet? — leaves Android Debug Mode running on localhost:5555.
“And since Superbox turns the IP into an IPIDEA proxy, a bad actor just has to use the proxy to localhost on that port and install whatever bad SDKs [software development kits] they want,” Kilmer told KrebsOnSecurity.
Superbox media streaming boxes for sale on Walmart.com.
Both Brundage and Kilmer say IPIDEA appears to be the second or third reincarnation of a residential proxy network formerly known as 911S5 Proxy, a service that operated between 2014 and 2022 and was wildly popular on cybercrime forums. 911S5 Proxy imploded a week after KrebsOnSecurity published a deep dive on the service’s sketchy origins and leadership in China.
In that 2022 profile, we cited work by researchers at the University of Sherbrooke in Canada who were studying the threat 911S5 could pose to internal corporate networks. The researchers noted that “the infection of a node enables the 911S5 user to access shared resources on the network such as local intranet portals or other services.”
“It also enables the end user to probe the LAN network of the infected node,” the researchers explained. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”
911S5 initially responded to our reporting in 2022 by claiming it was conducting a top-down security review of the service. But the proxy service abruptly closed up shop just one week later, saying a malicious hacker had destroyed all of the company’s customer and payment records. In July 2024, The U.S. Department of the Treasury sanctioned the alleged creators of 911S5, and the U.S. Department of Justice arrested the Chinese national named in my 2022 profile of the proxy service.
Kilmer said IPIDEA also operates a sister service called 922 Proxy, which the company has pitched from Day One as a seamless alternative to 911S5 Proxy.
“You cannot tell me they don’t want the 911 customers by calling it that,” Kilmer said.
Among the recipients of Synthient’s notification was the proxy giant Oxylabs. Brundage shared an email he received from Oxylabs’ security team on December 31, which acknowledged Oxylabs had started rolling out security modifications to address the vulnerabilities described in Synthient’s report.
Reached for comment, Oxylabs confirmed they “have implemented changes that now eliminate the ability to bypass the blocklist and forward requests to private network addresses using a controlled domain.” But it said there is no evidence that Kimwolf or other other attackers exploited its network.
“In parallel, we reviewed the domains identified in the reported exploitation activity and did not observe traffic associated with them,” the Oxylabs statement continued. “Based on this review, there is no indication that our residential network was impacted by these activities.”
Consider the following scenario, in which the mere act of allowing someone to use your Wi-Fi network could lead to a Kimwolf botnet infection. In this example, a friend or family member comes to stay with you for a few days, and you grant them access to your Wi-Fi without knowing that their mobile phone is infected with an app that turns the device into a residential proxy node. At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.
Miscreants like those behind Kimwolf then use residential proxy services online to access that proxy node on your IP, tunnel back through it and into your local area network (LAN), and automatically scan the internal network for devices with Android Debug Bridge mode turned on.
By the time your guest has packed up their things, said their goodbyes and disconnected from your Wi-Fi, you now have two devices on your local network — a digital photo frame and an unsanctioned Android TV box — that are infected with Kimwolf. You may have never intended for these devices to be exposed to the larger Internet, and yet there you are.
Here’s another possible nightmare scenario: Attackers use their access to proxy networks to modify your Internet router’s settings so that it relies on malicious DNS servers controlled by the attackers — allowing them to control where your Web browser goes when it requests a website. Think that’s far-fetched? Recall the DNSChanger malware from 2012 that infected more than a half-million routers with search-hijacking malware, and ultimately spawned an entire security industry working group focused on containing and eradicating it.
Much of what is published so far on Kimwolf has come from the Chinese security firm XLab, which was the first to chronicle the rise of the Aisuru botnet in late 2024. In its latest blog post, XLab said it began tracking Kimwolf on October 24, when the botnet’s control servers were swamping Cloudflare’s DNS servers with lookups for the distinctive domain 14emeliaterracewestroxburyma02132[.]su.
This domain and others connected to early Kimwolf variants spent several weeks topping Cloudflare’s chart of the Internet’s most sought-after domains, edging out Google.com and Apple.com of their rightful spots in the top 5 most-requested domains. That’s because during that time Kimwolf was asking its millions of bots to check in frequently using Cloudflare’s DNS servers.
The Chinese security firm XLab found the Kimwolf botnet had enslaved between 1.8 and 2 million devices, with heavy concentrations in Brazil, India, The United States of America and Argentina. Image: blog.xLab.qianxin.com
It is clear from reading the XLab report that KrebsOnSecurity (and security experts) probably erred in misattributing some of Kimwolf’s early activities to the Aisuru botnet, which appears to be operated by a different group entirely. IPDEA may have been truthful when it said it had no affiliation with the Aisuru botnet, but Brundage’s data left no doubt that its proxy service clearly was being massively abused by Aisuru’s Android variant, Kimwolf.
XLab said Kimwolf has infected at least 1.8 million devices, and has shown it is able to rebuild itself quickly from scratch.
“Analysis indicates that Kimwolf’s primary infection targets are TV boxes deployed in residential network environments,” XLab researchers wrote. “Since residential networks usually adopt dynamic IP allocation mechanisms, the public IPs of devices change over time, so the true scale of infected devices cannot be accurately measured solely by the quantity of IPs. In other words, the cumulative observation of 2.7 million IP addresses does not equate to 2.7 million infected devices.”
XLab said measuring Kimwolf’s size also is difficult because infected devices are distributed across multiple global time zones. “Affected by time zone differences and usage habits (e.g., turning off devices at night, not using TV boxes during holidays, etc.), these devices are not online simultaneously, further increasing the difficulty of comprehensive observation through a single time window,” the blog post observed.
XLab noted that the Kimwolf author shows an almost ‘obsessive’ fixation” on Yours Truly, apparently leaving “easter eggs” related to my name in multiple places through the botnet’s code and communications:
Image: XLAB.
One frustrating aspect of threats like Kimwolf is that in most cases it is not easy for the average user to determine if there are any devices on their internal network which may be vulnerable to threats like Kimwolf and/or already infected with residential proxy malware.
Let’s assume that through years of security training or some dark magic you can successfully identify that residential proxy activity on your internal network was linked to a specific mobile device inside your house: From there, you’d still need to isolate and remove the app or unwanted component that is turning the device into a residential proxy.
Also, the tooling and knowledge needed to achieve this kind of visibility just isn’t there from an average consumer standpoint. The work that it takes to configure your network so you can see and interpret logs of all traffic coming in and out is largely beyond the skillset of most Internet users (and, I’d wager, many security experts). But it’s a topic worth exploring in an upcoming story.
Happily, Synthient has erected a page on its website that will state whether a visitor’s public Internet address was seen among those of Kimwolf-infected systems. Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.
If you own a TV box that matches one of these model names and/or numbers, please just rip it out of your network. If you encounter one of these devices on the network of a family member or friend, send them a link to this story and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.
The top 15 product devices represented in the Kimwolf botnet, according to Synthient.
Chad Seaman is a principal security researcher with Akamai Technologies. Seaman said he wants more consumers to be wary of these pseudo Android TV boxes to the point where they avoid them altogether.
“I want the consumer to be paranoid of these crappy devices and of these residential proxy schemes,” he said. “We need to highlight why they’re dangerous to everyone and to the individual. The whole security model where people think their LAN (Local Internal Network) is safe, that there aren’t any bad guys on the LAN so it can’t be that dangerous is just really outdated now.”
“The idea that an app can enable this type of abuse on my network and other networks, that should really give you pause,” about which devices to allow onto your local network, Seaman said. “And it’s not just Android devices here. Some of these proxy services have SDKs for Mac and Windows, and the iPhone. It could be running something that inadvertently cracks open your network and lets countless random people inside.”
In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants collectively dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, also can infect devices by requiring the download of malicious apps from unofficial marketplaces.
Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malware prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors — usually during the set-up process.
The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.
Lindsay Kaye is vice president of threat intelligence at HUMAN Security, a company that worked closely on the BADBOX investigations. Kaye said the BADBOX botnets and the residential proxy networks that rode on top of compromised devices were detected because they enabled a ridiculous amount of advertising fraud, as well as ticket scalping, retail fraud, account takeovers and content scraping.
Kaye said consumers should stick to known brands when it comes to purchasing things that require a wired or wireless connection.
“If people are asking what they can do to avoid being victimized by proxies, it’s safest to stick with name brands,” Kaye said. “Anything promising something for free or low-cost, or giving you something for nothing just isn’t worth it. And be careful about what apps you allow on your phone.”
Many wireless routers these days make it relatively easy to deploy a “Guest” wireless network on-the-fly. Doing so allows your guests to browse the Internet just fine but it blocks their device from being able to talk to other devices on the local network — such as shared folders, printers and drives. If someone — a friend, family member, or contractor — requests access to your network, give them the guest Wi-Fi network credentials if you have that option.
There is a small but vocal pro-piracy camp that is almost condescendingly dismissive of the security threats posed by these unsanctioned Android TV boxes. These tech purists positively chafe at the idea of people wholesale discarding one of these TV boxes. A common refrain from this camp is that Internet-connected devices are not inherently bad or good, and that even factory-infected boxes can be flashed with new firmware or custom ROMs that contain no known dodgy software.
However, it’s important to point out that the majority of people buying these devices are not security or hardware experts; the devices are sought out because they dangle something of value for “free.” Most buyers have no idea of the bargain they’re making when plugging one of these dodgy TV boxes into their network.
It is somewhat remarkable that we haven’t yet seen the entertainment industry applying more visible pressure on the major e-commerce vendors to stop peddling this insecure and actively malicious hardware that is largely made and marketed for video piracy. These TV boxes are a public nuisance for bundling malicious software while having no apparent security or authentication built-in, and these two qualities make them an attractive nuisance for cybercriminals.
Stay tuned for Part II in this series, which will poke through clues left behind by the people who appear to have built Kimwolf and benefited from it the most.
Mappa dei terremoti avvenuti in Italia e nelle aree limitrofe dall’1 al 31 dicembre del 2025.
Sono stati 1235 gli eventi localizzati dalla Rete Sismica Nazionale dall’1 al 31 dicembre 2025, un numero in leggero aumento rispetto al precedente mese di novembre, con una media che risale da 38 a circa 39 terremoti al giorno, un valore ancora basso rispetto alla media mensile del 2025. Dei 1235 eventi registrati, 139 terremoti hanno avuto una magnitudo pari o superiore a 2.0 e solo 9 eventi magnitudo pari o superiore a 3.0.
Nel mese di dicembre sono stati registrati due eventi sismici di magnitudo uguale o superiore a 4: il primo avvenuto il 15 dicembre nel Mar Ionio meridionale di magnitudo ML 4.0, il secondo il 17 dicembre di magnitudo ML 4.2, localizzato a largo della Costa Croata meridionale. Entrambi gli eventi non hanno avuto risentimenti sulle coste italiane. Per la localizzazione del terremoto del 15 dicembre nel Mar Ionio ha contributo la stazione sismica MHPPL (Marine Hazard Portopalo), il sismometro più profondo del Mar Mediterraneo, installato a circa 3500 metri di profondità, a circa 80 km a sud-est di Portopalo di Capo Passero.
Sul territorio nazionale sono stati pochi gli eventi sismici risentiti, con valori di magnitudo compresi al massimo tra 3.0 e 3.5.
Ricordiamo che tra pochi giorni verrà pubblicato su INGVterremoti.com lo SPECIALE sui terremoti del 2025, con l’analisi della sismicità e delle principali sequenze sismiche registrate lo scorso anno.
Le mappe, insieme ad altri prodotti del monitoraggio, sono disponibili sul sito dell’Osservatorio Nazionale Terremoti e sul Portale Web dell’INGV.
La rubrica “I terremoti del mese” è a cura di M. Pignone (INGV-ONT)
Lo sviluppo di One UI 8.5 sta procedendo rapidamente, con i primi firmware trapelati che hanno già svelato diverse novità in arrivo sui dispositivi Galaxy. Dopo la prima build non definitiva, che presentava elementi grafici incompleti e qualche imperfezione, è ora disponibile un nuovo firmware che mostra ulteriori affinamenti dell’interfaccia e diverse migliorie.
La prima versione trapelata di One UI 8.5 mostrava icone non rifinite e dettagli grafici provvisori. Nella nuova build, Samsung ha già corretto alcuni di questi aspetti. Ad esempio, i pulsanti della lista widget nel pannello rapido, che inizialmente risultavano poco curati, ora presentano un aspetto coerente con il resto dell’interfaccia.
Oltre ai ritocchi estetici, il nuovo firmware introduce diversi cambiamenti funzionali e stilistici:
Digital Wellbeing ha ricevuto un piccolo restyling, con pulsanti più grandi che ne semplificano l’utilizzo.
Nella schermata di personalizzazione della lockscreen, toccando l’icona di un’app nei collegamenti rapidi si apre un pop-up con l’intera lista delle app disponibili.
L’app Telefono utilizza ora una barra inferiore composta solo da icone. Nella nuova build questa barra si estende per tutta la larghezza dello schermo, anche se i pulsanti effettivi restano concentrati al centro.
L’app Meteo segue l’approccio di Impostazioni, spostando la barra di ricerca in basso quando si attiva la funzione di ricerca. Inoltre, il nome della località viene messo in evidenza con un riquadro nella parte alta dello schermo.
Nel menu di modifica foto con Galaxy AI presente in Galleria, la grafica è stata aggiornata, mentre la barra di navigazione inferiore mostra ora tutte le schede disponibili senza richiedere lo scorrimento laterale.
In app come Meteo, Impostazioni e Galleria compare un effetto gradiente nella parte superiore e inferiore della schermata: un accorgimento che anticipa visivamente l’elemento successivo quando si scorre.
Il menu del registratore dello schermo è stato ridisegnato con pulsanti più grandi e icone dedicate che chiariscono la funzione di ogni opzione.
Va ricordato che One UI 8.5 è ancora in una fase di sviluppo iniziale. Le modifiche viste in questi firmware trapelati rappresentano soltanto una parte delle novità che Samsung introdurrà con la release finale. Come spesso accade, ulteriori cambiamenti potrebbero arrivare nelle prossime build interne, con affinamenti sia grafici che funzionali.
Samsung non ha ancora annunciato una data precisa per il debutto di One UI 8.5, ma è probabile che il rollout inizi in concomitanza con i prossimi top di gamma della serie Galaxy S26, per poi estendersi gradualmente anche ad altri modelli.
Accedi