Kimwolf Howls from Inside the Enterprise

The report documents active Kimwolf botnet activity that abuses residential proxy services and compromised endpoints to probe local networks via DNS queries. Infoblox Threat Defense Cloud telemetry shows queries to Kimwolf domains from nearly 25% of customers across multiple industries, indicating widespread scanning (though few confirmed enterprise compromises); the report lists observed malicious domains, abused proxy endpoints (e.g., IPIDEA, Plainproxies/Byteconnect), and recommends blocking/resolving protective DNS policies and searching DNS logs for the indicators.