Skip to main content
Emerging ThreatsMalware & Ransomware

Google Disrupts NetNut Residential Proxy Network

Smart devices like TVs and streaming boxes scattered in a brightly-lit living room.

"GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins," Google told BleepingComputer.

Google Threat Intelligence Group: the scale and short-term signal

The Google Threat Intelligence Group (GTIG) places the NetNut—also tracked under the name Popa—botnet at a minimum of two million compromised devices worldwide. GTIG said those devices include smart TVs and streaming boxes and are powered by trojanized applications and botnets such as Badbox 2.0 that deliver proxy plugins. In a single week last month GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, spanning both cybercriminal and espionage groups.

How NetNut worked: residential proxies, SDKs, and command-and-control

NetNut operated as a residential proxy network: it turned infected consumer devices into exit nodes that routed unauthorized traffic through victims' home IP addresses. Devices typically became part of the botnet after malware was either pre-installed before purchase or added via malicious or trojanized applications downloaded by the user. The network relied on software development kits (SDKs) and backend command-and-control (C2) infrastructure to manage and monetize access, enabling operators to hide malicious traffic behind legitimate residential addresses. GTIG and other researchers linked proxy plugins and infrastructure components—particularly those packaged with Badbox 2.0—to NetNut's operations.

The disruption: coordination between Google, the FBI, and industry partners

Dismantling the NetNut service was a coordinated action that included Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and other industry partners. The FBI took down the netnut.com domain, and Google disabled the accounts and services on its infrastructure that the NetNut operators used for malware command-and-control, blocking access to what Google described as "critical backend infrastructure." Google also protected users by automatically warning them and disabling infected applications through Google Play Protect. Beyond takedowns and account restrictions, Google shared technical details about NetNut's SDKs and C2 infrastructure with platform providers, law enforcement agencies, and cybersecurity researchers to aid further mitigation.

Impact on users, platform providers, and law enforcement

  • End users: Devices become exit nodes after infection either via pre-installed malware or trojanized apps. Google said it warned affected users automatically and used Google Play Protect to disable infected applications.
  • Platform providers: Google has shared technical details on NetNut's SDKs and backend C2 infrastructure with platform providers, enabling targeted detection and removal of malicious app components across app stores and ecosystems.
  • Law enforcement and industry responders: The FBI's domain takedown of netnut.com and the multi-party disruption effort illustrate a model of coordinated action; partners including Lumen Technologies and The Shadowserver Foundation participated alongside Google.

What this did to threat actors and the proxy market

NetNut was among the largest residential proxy services and, according to GTIG, was used by hundreds of threat actors. Researchers reported threat actors used NetNut to reach their own infrastructure, conduct password-spraying attacks, and access victim environments. Google said it expects the disruption to ripple through the proxy industry because NetNut runs a "robust reseller program that allows whitelabeling of its network" and many popular residential proxy services are fueled by NetNut capacity. Mandiant communications manager Mark Karayan told BleepingComputer that the proxy market is highly interconnected: he confirmed the .com domain was used by NetNut and said that disrupting one proxy service often pushes operators to buy replacement capacity from competing providers, effectively turning buyers into resellers.

That interconnection means takedowns can break a specific service and choke its infrastructure, but they may also prompt rapid redistribution of malicious capability across other networks. Google cited the earlier disruption of IPIDEA earlier this year as part of its ongoing commitment to dismantle residential proxy botnets.

The immediate result of the operation is clear: at least two million infected devices were identified as part of NetNut's network and key backend infrastructure and domains were disabled. The longer-term effect will depend on whether competing proxy providers absorb displaced demand or whether further coordinated disruptions can degrade the resale pathways that fuel these services. As Mandiant noted, operators’ tendency to purchase replacement capacity is the practical question driving whether takedowns like this one suppress malicious proxy capacity or simply relocate it.

Original reporting at BleepingComputer