NetNut proxy network disrupted, 2 million infected devices cut off
A joint operation involving Google has disrupted NetNut, a residential proxy network that g 2026-7-3 18:1:22 Author: www.bleepingcomputer.com(查看原文) 阅读量:1 收藏

NetNut residential proxy network disrupted after hijacking 2 million devices

A joint operation involving Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes.

Also known as Popa, the NetNut botnet allowed cybercriminals and espionage groups to hide behind legitimate home internet addresses when launching attacks.

According to the Google Threat Intelligence Group (GTIG), the residential proxy botnet is estimated to comprise at least two million compromised devices.

image

"GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins," Google told BleepingComputer.

Residential proxy networks work by compromising home systems and selling access to them, allowing threat actors to conceal malicious traffic by routing it through the victims' residential IP addresses.

Typically, home devices become part of the botnet after being infected with malware that is either pre-installed before purchase or added via malicious or trojanized applications downloaded by the user.

As a result, infected consumer devices serve as exit nodes in the botnet, routing unauthorized network traffic through their residential IP addresses, which can cause the devices to be flagged as suspicious or blocked by internet service providers or online services.

Dismantling the NetNut botnet involved a coordinated effort that included Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and other industry partners.

FBI seized domain used by the NetNut residential proxy network
FBI seized domain used by the NetNut residential proxy network
source: BleepingComputer

The malicious proxy service is considered one of the largest networks in the world, being used by hundreds of threat actors.

It uses multiple domains, including netnut.com, which was taken down by the FBI.

“I checked with the disruption team and confirmed .com domain was also used by them along with other domains taken down," Mark Karayan, Communications Manager at Mandiant, told BleepingComputer.

GTIG said that in one week last month it “observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.”

According to the researchers, threat actors used NetNut to access their own infrastructure, conduct password-spraying attacks, and to reach victim environments.

On its part, Google disabled the accounts and services on its infrastructure that NetNut operators used for malware command-and-control (C2), thus blocking access to “critical backend infrastructure.”

The company protected users by automatically warning them and disabling infected applications using Google Play Protect, the built-in security mechanism on Android.

Additionally, Google shared technical details on NetNut's software development kits (SDKs) and backend command-and-control (C2) infrastructure with platform providers, law enforcement agencies, and cybersecurity researchers.

Google expects disrupting NetNut to have a broader impact in the proxy industry as the botnet “has a robust reseller program that allows whitelabeling of its network” and many of the popular residential proxy services are fueled by NetNut.

Karayan told BleepingComputer that disrupting one proxy service often prompts operators to purchase replacement capacity from competing providers, turning them into a reseller.

“The proxy industry is deeply interconnected where operators constantly buy and resell each other's botnet capacity, and Netnut is among the largest and most popular residential proxy networks in the world.”

The action against NetNut is part of Google's commitment to dismantle residential proxy botnets and follows the disruption of IPIDEA earlier this year.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper


文章来源: https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/
如有侵权请联系:admin#unsafe.sh