Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to have benefitted from Kimwolf’s spread.

On Dec. 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for so-called “residential proxy” services.

The software that turns one’s device into a residential proxy is often quietly bundled with mobile apps and games. Kimwolf specifically targeted residential proxy software that is factory installed on more than a thousand different models of unsanctioned Android TV streaming devices. Very quickly, the residential proxy’s Internet address starts funneling traffic that is linked to ad fraud, account takeover attempts and mass content scraping.

The XLab report explained its researchers found “definitive evidence” that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the Aisuru botnet — an earlier version of Kimwolf that also enslaved devices for use in DDoS attacks and proxy services.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time. But it said those suspicions were confirmed on December 8 when it witnessed both botnet strains being distributed by the same Internet address at 93.95.112[.]59.

RESI RACK

Public records show the Internet address range flagged by XLab is assigned to Lehi, Utah-based Resi Rack LLC. Resi Rack’s website bills the company as a “Premium Game Server Hosting Provider.” Meanwhile, Resi Rack’s ads on the Internet moneymaking forum BlackHatWorld refer to it as a “Premium Residential Proxy Hosting and Proxy Software Solutions Company.”

Resi Rack co-founder Cassidy Hales told KrebsOnSecurity his company received a notification on December 10 about Kimwolf using their network “that detailed what was being done by one of our customers leasing our servers.”

“When we received this email we took care of this issue immediately,” Hales wrote in response to an email requesting comment. “This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever.”

The Resi Rack Internet address cited by XLab on December 8 came onto KrebsOnSecurity’s radar more than two weeks before that. Benjamin Brundage is founder of Synthient, a startup that tracks proxy services. In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

When KrebsOnSecurity joined the resi[.]to Discord channel in late October as a silent lurker, the server had fewer than 150 members, including “Shox” — the nickname used by Resi Rack’s co-founder Mr. Hales — and his business partner “Linus,” who did not respond to requests for comment.

Other members of the resi[.]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet. As the screenshot from resi[.]to above shows, that Resi Rack Internet address flagged by XLab was used by Kimwolf to direct proxy traffic as far back as November 24, if not earlier. All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

Neither of Resi Rack’s co-owners responded to follow-up questions. Both have been active in selling proxy services via Discord for nearly two years. According to a review of Discord messages indexed by the cyber intelligence firm Flashpoint, Shox and Linus spent much of 2024 selling static “ISP proxies” by routing various Internet address blocks at major U.S. Internet service providers.

In February 2025, AT&T announced that effective July 31, 2025, it would no longer originate routes for network blocks that are not owned and managed by AT&T (other major ISPs have since made similar moves). Less than a month later, Shox and Linus told customers they would soon cease offering static ISP proxies as a result of these policy changes.

DORT & SNOW

The stated owner of the resi[.]to Discord server went by the abbreviated username “D.” That initial appears to be short for the hacker handle “Dort,” a name that was invoked frequently throughout these Discord chats.

This “Dort” nickname came up in KrebsOnSecurity’s recent conversations with “Forky,” a Brazilian man who acknowledged being involved in the marketing of the Aisuru botnet at its inception in late 2024. But Forky vehemently denied having anything to do with a series of massive and record-smashing DDoS attacks in the latter half of 2025 that were blamed on Aisuru, saying the botnet by that point had been taken over by rivals.

Forky asserts that Dort is a resident of Canada and one of at least two individuals currently in control of the Aisuru/Kimwolf botnet. The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname “Snow.”

On January 2 — just hours after our story on Kimwolf was published — the historical chat records on resi[.]to were erased without warning and replaced by a profanity-laced message for Synthient’s founder. Minutes after that, the entire server disappeared.

Later that same day, several of the more active members of the now-defunct resi[.]to Discord server moved to a Telegram channel where they posted Brundage’s personal information, and generally complained about being unable to find reliable “bulletproof” hosting for their botnet.

Hilariously, a user by the name “Richard Remington” briefly appeared in the group’s Telegram server to post a crude “Happy New Year” sketch that claims Dort and Snow are now in control of 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its owner operates a website that caters to DDoS-for-hire or “stresser” services seeking to test their firepower.

BYTECONNECT, PLAINPROXIES, AND 3XK TECH

Reports from both Synthient and XLab found that Kimwolf was used to deploy programs that turned infected systems into Internet traffic relays for multiple residential proxy services. Among those was a component that installed a software development kit (SDK) called ByteConnect, which is distributed by a provider known as Plainproxies.

ByteConnect says it specializes in “monetizing apps ethically and free,” while Plainproxies advertises the ability to provide content scraping companies with “unlimited” proxy pools. However, Synthient said that upon connecting to ByteConnect’s SDK they instead observed a mass influx of credential-stuffing attacks targeting email servers and popular online websites.

A search on LinkedIn finds the CEO of Plainproxies is Friedrich Kraft, whose resume says he is co-founder of ByteConnect Ltd. Public Internet routing records show Mr. Kraft also operates a hosting firm in Germany called 3XK Tech GmbH. Mr. Kraft did not respond to repeated requests for an interview.

In July 2025, Cloudflare reported that 3XK Tech (a.k.a. Drei-K-Tech) had become the Internet’s largest source of application-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligence found that Internet addresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks.

LinkedIn has a profile for another Plainproxies employee, Julia Levi, who is listed as co-founder of ByteConnect. Ms. Levi did not respond to requests for comment. Her resume says she previously worked for two major proxy providers: Netnut Proxy Network, and Bright Data.

Synthient likewise said Plainproxies ignored their outreach, noting that the Byteconnect SDK continues to remain active on devices compromised by Kimwolf.

MASKIFY

Synthient’s January 2 report said another proxy provider heavily involved in the sale of Kimwolf proxies was Maskify, which currently advertises on multiple cybercrime forums that it has more than six million residential Internet addresses for rent.

Maskify prices its service at a rate of 30 cents per gigabyte of data relayed through their proxies. According to Synthient, that price range is insanely low and is far cheaper than any other proxy provider in business today.

“Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash,” the Synthient report noted. “This approach likely helped fuel early development, with associated members spending earnings on infrastructure and outsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced.”

Maskify did not respond to requests for comment.

BOTMASTERS LASH OUT

Hours after our first Kimwolf story was published last week, the resi[.]to Discord server vanished, Synthient’s website was hit with a DDoS attack, and the Kimwolf botmasters took to doxing Brundage via their botnet.

The harassing messages appeared as text records uploaded to the Ethereum Name Service (ENS), a distributed system for supporting smart contracts deployed on the Ethereum blockchain. As documented by XLab, in mid-December the Kimwolf operators upgraded their infrastructure and began using ENS to better withstand the near-constant takedown efforts targeting the botnet’s control servers.

By telling infected systems to seek out the Kimwolf control servers via ENS, even if the servers that the botmasters use to control the botnet are taken down the attacker only needs to update the ENS text record to reflect the new Internet address of the control server, and the infected devices will immediately know where to look for further instructions.

“This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked,” XLab wrote.

The text records included in Kimwolf’s ENS instructions can also feature short messages, such as those that carried Brundage’s personal information. Other ENS text records associated with Kimwolf offered some sage advice: “If flagged, we encourage the TV box to be destroyed.”

Both Synthient and XLabs say Kimwolf targets a vast number of Android TV streaming box models, all of which have zero security protections, and many of which ship with proxy malware built in. Generally speaking, if you can send a data packet to one of these devices you can also seize administrative control over it.

If you own a TV box that matches one of these model names and/or numbers, please just rip it out of your network. If you encounter one of these devices on the network of a family member or friend, send them a link to this story (or to our January 2 story on Kimwolf) and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.

The promise of AI-powered workplace tools that sort emails, take meeting notes, and file expense reports is finally delivering meaningful productivity gains -- one software startup reported a 20% boost around mid-2025 -- but companies are discovering an unexpected tradeoff: employees are burning out from the relentless pace of high-level cognitive work. Roger Kirkness, CEO of 14-person software startup Convictional, noticed that after AI took the scut work off his team's plates, their days became consumed by intensive thinking, and they were mentally exhausted and unproductive by Friday. The company transitioned to a four-day workweek; the same amount of work gets done, Kirkness says. The underlying problem, according to Boston College economist and sociologist Juliet Schor, is that businesses tend to simply reallocate the time AI saves. Workers who once mentally downshifted for tasks like data entry are now expected to maintain intense focus through longer stretches of data analysis. "If you just make people work at a high-intensity pace with no breaks, you risk crowding out creativity," Schor says.

Read more of this story at Slashdot.

A 50-inch TV that would have set you back $1,100 at Best Buy during Black Friday 2001 now costs less than $200, and the price per area-pixel -- a metric accounting for both screen size and resolution -- has dropped by more than 90% over the past 25 years. The story behind this decline is largely one of liquid crystal display technology maturing from a niche product to a mass-manufactured commodity. LCDs represented just 5% of the TV market in 2004; by 2018, they commanded more than 95%. The largest driver of cost reduction has been the scaling up of "mother glass" sheets -- the large panels of extremely clear glass onto which semiconductor materials are deposited before being cut into individual displays. The first generation sheets measured roughly 12 by 16 inches. Today's Generation 10.5 sheets span 116 by 133 inches, nearly 100 times the original area. This scaling delivers substantial savings because equipment costs rise more slowly than glass area increases. Moving from Gen 4 to Gen 5 mother glass cut the cost per diagonal inch by 50%. Equipment costs per unit of panel area fell 80% between Gen 4 and Gen 8. Process improvements have compounded these gains: masking steps required for thin-film transistors dropped from eight to four, yields climbed from 50% to above 90%, and a "one drop fill" technique reduced liquid crystal filling time from days to minutes.

Read more of this story at Slashdot.

Last time, we learned how to query the global caret position, but we found that it works only for programs that use the system caret. Fancy programs think that the system caret is old and stodgy and prefer to draw their own caret. How can we learn about those custom carets?

We can use the classic Active Accessibility interface IAccessible and ask the focus window for its caret. Programs that draw their own custom caret are expected to respond to this by telling you where their custom caret is.

GUITHREADINFO info = { sizeof(GUITHREADINFO) };
if (GetGUIThreadInfo(0, &info))
{
    if (info.flags & GUI_CARETBLINKING)
    {
        MapWindowPoints(info.hwndCaret, nullptr, (POINT*)&info.rcCaret, 2);
        SetCursorPos(info.rcCaret.right - 1, info.rcCaret.bottom - 1);
        return;
    }
    if (info.hwndFocus != nullptr) {                                         
        Microsoft::WRL::ComPtr<IAccessible> acc;                             
        if (SUCCEEDED(AccessibleObjectFromWindow(info.hwndFocus, OBJID_CARET,
                              IID_PPV_ARGS(&acc))) && acc) {                 
            long x, y, cx, cy;                                               
            VARIANT vt{};                                                    
            vt.vt = VT_I4;                                                   
            vt.lVal = CHILDID_SELF;                                          
            if (acc->accLocation(&x, &y, &cx, &cy, vt) == S_OK) {            
                SetCursorPos(x + cx - 1, y + cy - 1);                        
                return;                                                      
            }                                                                
        }                                                                    
    }                                                                        
}

This detects the caret in most programs that use a custom caret. I tried Visual Studio, Chromium-based programs, and Microsoft Word, and they all worked. (However, Terminal and Calculator in Worksheet mode didn’t work. They fail to report a caret at all. Sad.)

In the original problem formulation, the goal was to move the cursor to the keyboard focus. The keyboard focus might be represented by a caret, but it might be a selected item on the desktop or some other non-textual focus. We’ll look at that next time.

The post Using Active Accessibility to find out where the Windows caret is appeared first on The Old New Thing.

An anonymous reader shares a report: Ever since the federal government began issuing the Dietary Guidelines in 1980, it has told Americans to limit themselves to one or two standard alcoholic drinks a day. Over time, the official advice morphed to no more than two drinks a day for men, and no more than one for women. No longer [non-paywalled source]. The updated guidelines issued on Wednesday say instead that people should consume less alcohol "for better overall health" and "limit alcohol beverages," but they do not recommend clear limits. The guidelines also no longer warn that alcohol may heighten the risk of breast cancer and other malignancies. It is the first time in decades that the government has omitted the daily caps on drinking that define moderate consumption -- standards that are used as benchmarks in clinical studies, to steer medical advice, and to distinguish moderate from heavy drinking, which is unquestionably harmful. The new guidance advises Americans who are pregnant, struggle with alcohol use disorder or take medications that interact with alcohol to avoid drinking altogether. The guidelines also warn people with alcoholism in the family to "be mindful of alcohol consumption and associated addictive behaviors." They do not, however, distinguish between men and women, who metabolize alcohol differently, nor do they caution against underage drinking. The guidelines also no longer include a warning that was in the last set issued in 2020: that even moderate drinking may increase the risk of cancer and some forms of cardiovascular disease, as well as the overall risk of dying.

Read more of this story at Slashdot.

Microsoft's OneDrive cloud storage service has drawn renewed criticism for a particularly frustrating behavior pattern that can leave users without access to their local files after the service automatically activates during Windows updates. Author Jason Pargin recently outlined the problem: Windows updates can enable OneDrive backup without any plain-language warning or opt-out option, and the service then quietly begins uploading the contents of a user's computer to Microsoft's servers. The trouble begins when users attempt to disable OneDrive Backup. According to Pargin, turning off the feature can result in local files being deleted, leaving behind only a desktop icon labeled "Where are my files?" Users can redownload their files from Microsoft's servers, but attempting to then delete Microsoft's copies triggers another deletion of the local files. The only workaround requires users to hunt down YouTube tutorials that walk through the steps, as the relevant options are buried in menus and none clearly describe their function in plain English. Pargin compared the experience to a ransomware attack.

Read more of this story at Slashdot.