Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

ByteConnect

ByteConnect is a proxy software development kit (SDK) used to monetize compromised devices by converting them into residential proxy nodes. Reporting describes it being delivered to victims—primarily unsanctioned/gray-market Android TV streaming devices—either directly or via sketchy apps that come pre-installed on the devices. It is specifically cited in connection with the AISURU/Kimwolf Android botnet ecosystem, where infections are monetized by installing third-party proxy SDKs such as ByteConnect (also referenced as “Plainproxies Byteconnect”) to resell victim bandwidth.

In observed cases, devices running/connecting to ByteConnect’s SDK were used to relay malicious traffic; one mention notes that after connecting to ByteConnect’s SDK, researchers observed a mass influx of credential-stuffing attacks originating through the proxying activity.

No additional high-confidence technical indicators (e.g., package names, hashes) are provided in the content beyond the name/alias and its use as a proxy SDK delivered via preinstalled or sketchy Android apps in the Kimwolf context.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583Acquire InfrastructureEvidence1

"...null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet..."; "...identified another C2 domain – greatfirewallisacensorshiptool..."

Stealth

1 technique
T1036MasqueradingEvidence1

"deploys two near-identical binaries disguised as proxy SDKs"; "many devices were sold pre-infected with modified software"; "shipped pre-infected with malicious proxy SDKs"

Command and Control

2 techniques
T1090ProxyEvidence1

"Its primary function is traffic proxying"; "Beyond running its own proxy service, Kimwolf monetizes infections by installing third-party proxy SDKs"

T1105Ingress Tool TransferEvidence1

"monetizes infections by installing third-party proxy SDKs such as Byteconnect"; "received payment for performing app installs on compromised devices"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Feb 28, 2026
Android - Latest News, Reports & Analysis | The Hacker News

Malicious/abused SDK used in the Kimwolf ecosystem to convert infected Android devices into residential proxies for relaying traffic.

Read more
the hacker newsNews
Jan 14, 2026
Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers

Software development kit delivered to compromised Android devices to enable residential proxy functionality (turning infected devices into proxy endpoints).

Read more
krebs on securityNews
Jan 8, 2026
Who Benefited from the Aisuru and Kimwolf Botnets? - Krebs on Security

Residential proxy/monetization SDK installed on Kimwolf-compromised devices to turn them into Internet traffic relays; observed being used to facilitate abusive activity including credential-stuffing against email servers and popular websites.

Read more
security affairsNews
Jan 5, 2026
Kimwolf botnet leverages residential proxies to hijack 2M+ Android devices

Third-party residential proxy/bandwidth monetization SDK observed being installed on Kimwolf-compromised devices, enabling bandwidth resale and facilitating abuse such as credential-stuffing via proxying.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.