A proxy botnet bills itself as a monetization SDK for Android apps: consent API, bandwidth caps, the works. It also distributes binaries via IPFS, discovers C2 servers through encrypted Ethereum Name Service records, polls a blockchain for updates like apt update, and ships a custom P2P mesh relay. The operator built three layers of decentralized resilience on the assumption that compute is free when it belongs to someone else.

When a researcher published IOCs for that proxy botnet infrastructure in early April, we began monitoring the download server where the APK was being delivered to devices compromised through proxy-to-ADB exploitation (the same initial access used by Kimwolf). Within weeks, the SDK gained three DDoS flood modules and a template-push system for rotating HTTP payloads. The proxy service had become a dual-purpose attack platform.

This lightning talk traces the operator architecture from proxy to botnet: the ENS update manifest, the IPFS distribution pipeline, and the moment the operator decided bandwidth monetization wasn't enough.