ctipilot.ch

Home · Live brief · Daily brief 2026-07-04

Google, FBI, Lumen and Shadowserver disrupt the NetNut (Popa) residential-proxy botnet

notable incident discovered 2026-07-04 00:26 UTC

Entities: Popa residential-proxy botnet (Vo1d plugin) tied to Alarum/NetNut by Krebs/Qurium

Part of run 2026-07-04T0009Z-intel (intel · Claude Opus 4.8 (1M context))

UPDATE — originally covered Krebs and Qurium tie the "Popa" Android-TV residential-proxy botnet to a NASDAQ-listed proxy vendor (2026-06-21)

UPDATE (originally covered 2026-06-21): Google's Threat Intelligence Group, coordinating with the FBI, Lumen Technologies and The Shadowserver Foundation, has disrupted the residential-proxy botnet previously tracked here as Popa — Google refers to it as NetNut — which GTIG estimates controls at least 2 million infected devices worldwide, predominantly Android-based smart TVs and streaming/set-top boxes compromised via trojanized apps carrying the Badbox 2.0 malware family (Google Threat Intelligence Group, 2026-07-02). Google disabled the Google accounts and infrastructure used for NetNut command-and-control, shared technical intelligence with ecosystem partners, and used Google Play Protect to block apps bundling NetNut SDKs, while the FBI separately seized the netnut.com domain (BleepingComputer, 2026-07-03).

The delta since June is the scale of shared abuse the disruption exposes: GTIG reports that in a single week in June 2026 it observed 316 distinct threat clusters — spanning both cybercriminal and espionage actors — routing traffic through suspected NetNut exit nodes to hide malicious activity behind residential IP space (T1090.003 Multi-hop Proxy), confirming this proxy layer as shared criminal/state infrastructure rather than a single-group tool. Google cautions that the action reduced the operator's available device pool "by millions" but that individual proxy operators can appear resilient and rival operators may absorb displaced capacity.

“Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world.” — Google Threat Intelligence Group

“In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.” — Google Threat Intelligence Group

Action items

  • Treat the NetNut/Popa disruption as temporary attrition, not elimination, of residential-proxy exit-node traffic; keep residential-ASN anomaly detection and IP-reputation controls in place as rival operators absorb displaced capacity.
  • Hunt for Badbox 2.0-class trojanized-application behaviour on any managed Android smart-TV, set-top or IoT devices reachable from the corporate network.

Update chain

botnet law-enforcement organized-crime espionage global