LIVE · cybersecurity feed
malware

FBI Seizes NetNut Proxy Platform, Popa Botnet

zeroday.news·5d ago

The Federal Bureau of Investigation, in collaboration with industry partners, has seized hundreds of domains associated with NetNut, a large residential proxy service operated by the Israeli company Alarum Technologies. This action follows recent reports from security firms that linked NetNut to the Popa botnet, a network of at least two million compromised devices.

The FBI's seizure notice, which replaced NetNut's homepage, indicated the involvement of the Internal Revenue Service Criminal Investigation division. The notice also acknowledged contributions from Google, Lumen, Shadowserver, and other industry partners in dismantling the domains tied to the Popa botnet, which is closely associated with NetNut's proxy infrastructure.

Security researchers had previously identified NetNut as a residential proxy network that populates the Popa botnet. The service distributes software that transforms everyday home devices, such as smart TVs and streaming boxes, into always-on proxy nodes. These nodes are then rented out to individuals who predominantly use them for illicit online activities, including mass content scraping, advertising fraud, and account takeovers.

Google's Threat Intelligence Group (GTIG) noted that NetNut's proxy network is widely resold and white-labeled by various third-party providers. Cybercriminals frequently utilize NetNut's services to conceal the origin of their malicious traffic. GTIG observed a significant number of threat actor groups, including those involved in cybercrime and espionage, leveraging NetNut exit nodes within a single week in June 2026. These actors use NetNut to mask their IP addresses when accessing victim environments, their own infrastructure, or conducting password spray attacks.

Furthermore, when consumer devices become proxy exit nodes, unauthorized network traffic can pass through them. This exposes other private devices on the same home network to potential internet threats. Google stated that it disabled Google accounts and services used by NetNut for command and control of malware and shared technical intelligence about NetNut's software development kits and backend infrastructure with relevant parties. The company also disabled applications known to bundle NetNut's SDKs.

Omer Weiss, legal counsel for NetNut's parent company Alarum Technologies, confirmed awareness of the FBI seizure and stated the company is cooperating with investigators. Weiss emphasized the company's commitment to a thorough investigation of any misuse of its infrastructure.

Benjamin Brundage, founder of the proxy tracking service Synthient, one of the firms that published evidence linking the Popa botnet to NetNut, suggested that the domain seizures have significantly disrupted both the Popa botnet and NetNut's proxy network. Brundage believes this takedown will be a considerable blow to the cybercrime community, especially following earlier legal actions by Google against NetNut's main competitor, IPIDEA. He noted that NetNut had gained substantial popularity after the IPIDEA takedown and was comparable to IPIDEA in terms of traffic, quality, size, and pricing.

Brundage also suggested that the disruption of NetNut and the Popa botnet could help mitigate the impact of large distributed denial-of-service botnets that exploit poorly configured residential proxy services. He referenced a previous Synthient report detailing how cybercriminals built a large DDoS botnet by tunneling through IPIDEA proxy connections into the local networks of TV box owners. While major proxy providers have taken steps to block such activity, resellers have been slower to respond.

Google estimates that the recent actions have severely degraded NetNut's proxy network and business operations, reducing the available pool of devices by millions. However, Google cautions that proxy networks can reconstitute themselves by reselling services from other providers, as IPIDEA has reportedly done. Google indicated that many popular residential proxy brands may be white-labeling the NetNut botnet and anticipates that while this disruption will have a broad impact, individual networks can prove resilient. The company observed that when faced with botnet degradation, proxy operators often purchase capacity from competitors, effectively becoming resellers. Google believes that to achieve lasting disruption in this dynamic ecosystem, efforts must target the infrastructure of multiple interconnected providers.

The report also highlighted concerns about smart TVs and streaming devices, noting that many low-cost streaming boxes sold online come pre-installed with residential proxy software or require users to install proxy SDKs. Google advises consumers to purchase devices from reputable manufacturers and exercise caution with installed applications. Devices compromised by the Popa botnet and similar threats often use unofficial Android operating systems that lack Google Play Protect certification.

Consumers can verify if a device runs an official Android TV OS with Play Protect certification by following specific instructions. Additionally, smart TVs from manufacturers like Samsung and LG can become part of residential proxy networks through the installation of third-party applications. A recent report found that a significant percentage of apps available for LG's webOS and Samsung's Tizen operating systems contain SDKs that turn televisions into residential proxy nodes.

malware
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.