Home · Live brief · Weekly 2026-W27
Law-enforcement and platform-disruption momentum this week — NetNut/Popa proxy botnet dismantled, StegoAd extension cluster killed, $10M bounty on Russia-nexus crews
Entities: Popa residential-proxy botnet (Vo1d plugin) tied to Alarum/NetNut by Krebs/Qurium StegoAd
Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))
Three disruption actions this week are worth consolidating not as wins to celebrate but for what each says about the durability of the abused technique.
NetNut (Popa) residential-proxy botnet dismantled. The FBI — with Google, Lumen and Shadowserver — seized NetNut/Popa infrastructure on 2026-07-02; Google disabled the Google accounts used for C2 and updated Play Protect to block apps bundling the malicious SDKs, while the FBI seized netnut.com (Google GTIG, 2026-07-02; Krebs on Security, 2026-07-02). The strategic figure GTIG surfaces is that in a single June week it observed 316 distinct threat clusters — criminal and suspected-espionage — routing traffic through suspected NetNut exit nodes to mask origin IPs during password-spray, credential-stuffing and infrastructure access. That confirms residential-proxy relay as shared criminal/state infrastructure, and Google's own caution is the key defender note: degraded operators buy capacity from rivals, so proxy-based anonymisation volumes shift providers rather than dropping (§ references, operational coverage 07-04).
StegoAd extension cluster. Microsoft disrupted StegoAd — 119 Edge extensions that hid payloads inside image and font files via steganography (campaign:stegoad-darkspectre-119-edge-extensions-steganography) — reinforcing browser-extension marketplaces as a recurring, disruptable delivery surface (this week's operational coverage, § references).
$10M bounty on Russia-nexus crews. The US added a $10M bounty on the Russia-nexus Signal/WhatsApp phishing crews and folded Signal Backup-Recovery-Key theft into the advisory (this week's operational coverage, § references).
Weekly takeaway: all three targets abuse infrastructure that is cheap to re-provision — residential proxies, browser extensions, messaging-app social engineering — so the correct posture for a SOC is to keep the behavioural detections (implausible residential-ASN auth sequences, extension-install governance, Signal backup-key hygiene for high-risk staff) running past the headlines, because the operators displaced this week reappear behind new providers. This week's Mustang Panda dead-drop-C2-via-Zoho-WorkDrive case (§ references) is the same lesson from the offensive side: abuse of legitimate, hard-to-block infrastructure is the through-line.
In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.
Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world.
Action items
- Treat the NetNut takedown as temporary attrition of residential-proxy abuse, not elimination: keep hunting authentication attempts from residential/consumer-ISP ASN ranges hitting the same account in rapid succession from geographically implausible sequences, and treat 'residential' IP-reputation allowlisting as a gap.
- Hunt Badbox 2.0-class trojanized-app behaviour on any managed Android TV / IoT devices; the botnet's device pool was predominantly smart TVs and streaming boxes carrying malicious SDKs.