Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/CyberSecurity News/Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
CyberSecurity News

Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices

Key Takeaways Google, in collaboration with law enforcement and industry partners, has moved to dismantle NetNut, a residential proxy network also known as “Popa.” The botnet leveraged at...

David kimber
David kimber
July 3, 2026 4 Min Read
3 0

Key Takeaways

  • Google, in collaboration with law enforcement and industry partners, has moved to dismantle NetNut, a residential proxy network also known as “Popa.”
  • The botnet leveraged at least 2 million compromised home devices globally, primarily unofficial Android TV boxes, turning them into unwitting proxy nodes.
  • NetNut’s infrastructure was widely resold under various brands, making it a critical component for cybercriminals and espionage groups seeking to obfuscate their activities.
  • Google has disabled related accounts, updated Play Protect to block NetNut SDKs, and shared intelligence to disrupt the network.

Google Leads Coordinated Disruption of NetNut Residential Proxy Botnet

In a significant multi-agency operation, Google, alongside the FBI, Lumen Technologies, and other cybersecurity entities, has initiated a comprehensive effort to dismantle NetNut, a residential proxy network identified also as “Popa.” This network is believed to have compromised a minimum of 2 million household devices worldwide, transforming them into illicit proxy servers.

Table Of Content

  • Key Takeaways
  • Google Leads Coordinated Disruption of NetNut Residential Proxy Botnet
  • Unmasking the Popa Botnet’s Origins and Operations
  • What You Should Do

Google’s actions included disabling specific Google accounts and services that NetNut utilized for its malware command-and-control operations. These activities were a clear breach of Google’s Terms of Service and Acceptable Use Policy. Furthermore, the tech giant disseminated critical technical intelligence regarding NetNut’s Software Development Kits (SDKs) and its backend command-and-control (C2) infrastructure to law enforcement agencies, platform providers, and research firms. This information sharing aims to facilitate broader enforcement actions across the digital ecosystem.

To bolster user protection, Google Play Protect received an update designed to automatically alert users and disable applications containing NetNut SDKs. This measure provides an additional layer of defense against future installation attempts on Android devices. This recent operation follows Google’s successful disruption of the IPIDEA proxy network in January 2026, signaling a sustained strategic campaign against malicious residential proxy operators. Google highlighted that NetNut runs an extensive reseller program, enabling its infrastructure to be white-labeled, implying that numerous popular proxy services might, in reality, be covertly utilizing the NetNut botnet.

Unmasking the Popa Botnet’s Origins and Operations

Investigative reporting by KrebsOnSecurity has directly linked the Popa botnet to NetNut, a subsidiary of Alarum Technologies Ltd (NASDAQ: ALAR), a publicly traded Israeli company. The Popa botnet operates as a plugin component within the larger Vo1d botnet, which primarily targets unofficial Android-based TV boxes. These devices are often bundled with pirated streaming applications such as CRICFy, DooFlix, and Flixoid.

Security firm Qurium traced Popa’s control infrastructure to domains like ninjatech[.]io. These domains have been linked to Moishi Kramer, a former NetNut VP of R&D, who has denied current operational control over the infrastructure. Independent analysis by proxy-tracking firm Synthient on Popa’s SDK revealed outbound traffic conclusively tied to NetNut clients, leading the firm to state with “high confidence” that Popa-infected devices actively forward NetNut proxy traffic.

Alarum Technologies has contested the “botnet” label, asserting that NetNut’s SDKs enable consensual bandwidth-sharing and that the company enforces Know Your Customer (KYC) and misuse-monitoring policies. However, the proxy-tracking service Spur countered this claim, noting that NetNut lacks robust corporate verification, allowing individuals to acquire proxy access with minimal validation.

Lumen’s Black Lotus Labs estimates that the Popa botnet cycles through a staggering 1.5 to 2.5 million unique IP addresses daily, managed by approximately 250-300 controller domains. This scale positions it as one of the most widely resold proxy networks within the cybercriminal ecosystem. Nokia Deepfield researchers suggest the actual number of compromised devices could be substantially higher, based on their relay-node traffic sampling. During a single week in June 2026, Google’s Threat Intelligence Group observed 316 distinct threat clusters, encompassing both cybercriminal and espionage groups, leveraging suspected NetNut exit nodes for activities like password spraying and infrastructure obfuscation.

Home devices typically become unwitting proxy nodes through either pre-installed malware or hidden SDKs embedded within seemingly innocuous free applications. This compromise exposes other devices on the same network to external threats, including Mirai-variant DDoS infections.

Google emphasized the highly interconnected nature of the residential proxy industry, where operators frequently resell capacity from competitors when their own infrastructure is compromised. This resilience pattern was previously observed following the IPIDEA takedown. The company advocates for continued cross-industry intelligence sharing and coordinated infrastructure blocking to achieve a lasting impact against this adaptable, resale-driven threat ecosystem.

What You Should Do

  • Avoid installing applications that offer payment for “unused bandwidth,” as these are often mechanisms for surreptitiously turning your device into a proxy node.
  • Always download applications exclusively from official app stores, such as the Google Play Store, to minimize exposure to malicious SDKs.
  • Before purchasing connected devices like smart TVs and streaming boxes, verify their Google Play Protect certification status to ensure they meet security standards.
  • Regularly review and update security settings on your home router and connected devices.
  • Implement network segmentation where possible to isolate IoT devices from your primary computing devices.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

ExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AsyncRAT Campaign Leverages ScreenConnect to Evade Detection

Next Post

Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us