NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

Related

JadePuffer Ransomware Used AI Agent to Automate Entire Attack

What happened Researchers from Sysdig identified what they believe is...

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

What happened A newly discovered cyberattack campaign is delivering a...

New macOS Malware Uses Fake Errors to Confuse AI Analysis Tools

What happened A newly discovered macOS malware family named Gaslight...

Amadey and StealC Malware Operations Disrupted in Operation Endgame Action

What happened Microsoft, Europol, and international partners disrupted infrastructure used...

Share

What happened

A joint operation involving Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and other industry partners disrupted NetNut, a residential proxy network also known as Popa.

NetNut gave cybercriminal and espionage groups access to millions of compromised Android devices, including smart TVs and streaming boxes. Google’s Threat Intelligence Group estimated that the network controlled at least 2 million infected devices globally.

Residential proxy networks work by routing traffic through compromised home devices. This allows threat actors to hide behind legitimate residential internet addresses when launching attacks, making malicious activity harder to distinguish from normal consumer traffic.

Devices typically become part of these networks after being infected with malware that is either pre-installed before purchase or added through malicious or trojanized applications downloaded by users.

Once infected, consumer devices act as exit nodes for unauthorized traffic. This can cause the victim’s home internet address to be flagged, blocked, or associated with suspicious activity by internet service providers or online platforms.

NetNut was considered one of the world’s largest malicious proxy services and was used by hundreds of threat actors. Google said that in one week last month, it observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.

The network used multiple domains, including netnut.com, which was taken down by the FBI.

Google also disabled accounts and services on its infrastructure that NetNut operators used for malware command-and-control, cutting off access to critical backend infrastructure.

Google Play Protect automatically warned users and disabled infected applications on Android devices. Google also shared technical details about NetNut’s software development kits and command-and-control infrastructure with platform providers, law enforcement, and cybersecurity researchers.

Google said the disruption may have broader impact across the proxy industry because NetNut had a reseller program that allowed other services to white-label its network. Researchers noted that proxy operators often buy and resell one another’s botnet capacity, making the industry deeply interconnected.

Who is affected

Owners of compromised Android devices, smart TVs, streaming boxes, and other consumer devices are directly affected.

These devices may have been used as proxy exit nodes without the owner’s knowledge, routing traffic for cybercriminals or espionage groups through the victim’s home internet connection.

Organizations are also affected because threat actors used NetNut exit nodes to access their own infrastructure, conduct password-spraying attacks, and reach victim environments.

Security teams should pay attention to traffic from residential IP addresses that may appear legitimate but actually originate from compromised consumer devices participating in proxy networks.

Why CISOs should care

This disruption highlights how residential proxy networks help attackers bypass traditional reputation-based defenses. Traffic from a home internet address may not look like traffic from a data center, VPN, or known malicious host, making blocking and attribution more difficult.

For CISOs, the password-spraying use case is especially important. Google observed threat actors using NetNut exit nodes for password-spraying attacks, which can make identity attacks appear to come from many legitimate residential networks instead of a single obvious source.

The scale also matters. A network of at least 2 million infected devices gives attackers broad geographic distribution and a large pool of IP addresses to rotate through during attacks.

The reseller model creates additional risk. Even if one proxy service is disrupted, operators may buy replacement capacity from other proxy networks, meaning defenders should treat residential proxy abuse as an ecosystem problem rather than a single-service problem.

3 practical actions

  1. Monitor identity attacks from residential IP ranges: NetNut was used for password spraying and access to victim environments. CISOs should detect abnormal login patterns across many accounts, even when attempts come from consumer ISP addresses rather than known hosting providers.
  2. Strengthen defenses against distributed credential attacks: Residential proxy networks help attackers rotate IP addresses and evade simple rate limits. Security teams should use adaptive authentication, breached-password detection, impossible travel checks, device fingerprinting, and account lockout controls that account for distributed spraying.
  3. Block and investigate suspicious proxy infrastructure: Google shared NetNut SDK and command-and-control details with partners, while the FBI took down domains including netnut.com. Defenders should use updated threat intelligence, DNS filtering, endpoint telemetry, and network logs to identify devices or traffic linked to residential proxy abuse.

Also on the news today:

 

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.