Emerging ThreatsMalware & Ransomware

NetNut Exposed in Massive Popa Botnet Operation

Analyst 207||Source: Krebs
Cluttered electronics shelf with Android TV boxes and streaming devices surrounded by tangled cables.

"The scraping activity was scattered evenly across more than 1.4 million Internet addresses," researchers reported.

What Popa is and how it operates

Popa is an Android-based plugin component delivered via unofficial streaming apps and set-top devices. Researchers say it is not a conventional destructive botnet; instead, it provides a persistent communications layer that registers devices, maintains long-lived encrypted connections, and opens tunnels on demand. Multiple security firms identify Popa as associated with the larger Vo1d botnet family that targets unofficial Android TV boxes sold under thousands of brand names and model numbers.

Technical indicators and domain evidence

Initial clues came from a 2025 report by Chinese security firm XLAB that flagged at least nine domains used to register and direct devices. In May 2026 the security company Qurium linked those same domains to a series of disruptive data-scraping events that were routed across more than 1.4 million IP addresses. Qurium listed several controller domains including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io, and found gmslb[.]net embedded in pirated or modded streaming apps such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob and HD/OceanStreams.

Evidence tying Popa traffic to NetNut and Alarum's rebuttal

Synthient, a proxy-tracking company, reported that analysis of the Popa SDK showed outbound traffic “clearly associated with NetNut,” writing: “The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients. This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.”

Qurium and Synthient’s findings prompted public scrutiny because NetNut is a “residential proxy” provider operated by Alarum Technologies Ltd, a publicly traded Israeli firm. Alarum rejected the characterization of the SDKs and technologies as a “botnet,” calling the reports “demonstrably inaccurate assertions and flawed deductions rather than verified facts.” In its statement Alarum said the SDKs are “designed to facilitate bandwidth-sharing functionality” and that NetNut “operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services.”

Moishi Kramer, founder of Ninjatech and credited on LinkedIn as vice president of research and development at NetNut, told investigators that Ninjatech ceased operations “approximately five years ago” and that the Popa SDK was sold and licensed to third parties. Kramer said he does not build, operate, or maintain the infrastructure being described as Popa and that he “didn’t register the June 2025 domains you mention, and I don’t know who did.”

Resellers, consent, and commercial pathways — findings from Spur and others

The proxy-tracking service Spur disputed parts of Alarum’s claims about customer vetting, reporting that NetNut does not require corporate verification or meaningful KYC before customers can purchase proxy access. “The ‘verified corporations only’ claim is simply marketing for bandwidth sellers, not an access control on who actually uses the proxies,” Spur wrote, adding that downstream white-label resellers often perform no KYC and allow access for minimal payment.

Synthient noted recent Popa builds added the ability to ask users for consent before installing proxy components, but also observed that many variants and prior versions did not. Spur’s research found roughly 3,000 apps available for download in both the LG and Samsung app stores and reported that more than 42 percent of LG’s webOS apps include SDKs that turn a television into a residential proxy node, with more than a quarter of Samsung’s Tizen apps containing similar components.

Scale, impact on scraping and third parties

Chris Formosa of Black Lotus Labs at Lumen Technologies estimated Popa averages between 1.5 million to 2.5 million distinct IP addresses each day and relies on 250–300 Internet addresses to direct activity. Jérôme Meyer of Nokia Deepfield reported monitoring 26 of at least 359 known Popa relay nodes and estimates each node handles 35,000–60,000 clients simultaneously; the subset he examined showed 750,000 unique sources in 24 hours.

Security researchers link widespread residential-proxy usage to large-scale web scraping—work that many companies now perform to train AI models. Include Security summed that “AI companies depend on web-scraped content” and that residential proxies are the common workaround for scraping from datacenter IPs that are throttled or blocked. That scraping has led to more than 70 copyright infringement lawsuits and repeated operational harms for organizations whose sites are overwhelmed; a COAR survey found more than 90 percent of repositories report encountering aggressive bots, often causing slowdowns and outages.

What this means for network defenders, policymakers, and end users

  • Technologists and security teams: Monitor for traffic patterns associated with proxy SDKs and Popa control domains (gmslb[.]net, safernetwork[.]io, tera-home[.]com, ninjatech[.]io) and track unusual outbound connections from consumer devices on corporate networks—Infoblox reported 65% of its customers queried residential-proxy domains and warned of the legal and forensic burden if a corporate IP is used as a conduit for abuse.
  • Policymakers and regulators: Consider the implications of reseller marketplaces for residential proxy access and whether claimed KYC and mitigation practices are meaningful in practice, given Spur’s finding that resellers often require little to no verification.
  • End users: Be aware that unofficial streaming boxes and many TV apps may include SDKs that enroll a home IP address in proxy pools, and that consent dialogs on TV platforms may not convey the long-term consequences of enabling an always-on proxy.

The record presented by Qurium, Synthient, Spur, Nokia, Lumen/Black Lotus Labs, and others outlines overlapping technical signals tying Popa activity to the commercial residential-proxy ecosystem that includes NetNut; Alarum disputes the characterization and emphasizes policies and monitoring. The dispute shifts attention to reseller networks, historical SDK distribution, and how consent and verification are implemented—questions whose answers will determine whether the Popa pattern is a problem of legacy code and misuse, or evidence of an active, commercial proxy operation routing scraping and other traffic through millions of consumer IP addresses.

Source: KrebsOnSecurity — “Popa” Botnet Linked to Publicly-Traded Israeli Firm

Emerging ThreatsSupply ChainIot SecurityMalware OperationsAndroid MalwareBotnet OperationsVo1d Botnet FamilyPopa BotnetUnofficial Streaming Apps
Related Intelligence

Continue Reading

Office setting with a laptop on a plain desk, surrounded by neutral decor, under soft daylight.

Nintendo Data Breach Exposes Employee Survey Information

Nintendo of America recently experienced a data breach through a third-party survey service, exposing limited employee survey information, but fortunately, no customer or financial data was compromised. The company is working to resolve the issue and has confirmed that its own systems remain secure.

Analyst 207
Brightly-lit coding workspace with interconnected nodes in the foreground.

TeamPCP Exploits Open-Source Trust Model in Mass Software Compromise

In a shocking display of cunning, TeamPCP has compromised over 1,000 software packages in under four months, injecting malicious code and redefining the notion of trust in open-source supply chains. This brazen attack has left a trail of destruction, with roughly 500 million weekly downloads affected across major registries like npm, PyPI, and GitHub.

Analyst 207
Laptop screen displays code with highlighted block comment section on a minimalist desk.

Malware Developers Embed Deceptive Code to Evade AI Analysis

Malware developers are getting sneaky, hiding deceptive code in their spyware to throw off AI analysis - and it's working, with one developer adding text about nuclear and biological weapons to their malicious software. This clever trickery tricks AI systems into ignoring the real threat.

Analyst 207
Person sits at laptop in coffee shop with blurred cityscape behind, face neutral and unfocused.

Cyber Trust Erodes as AI, Tools Enable New Attacks

Trust is crumbling in the digital world as hackers exploit AI and tools to launch devastating attacks, turning trusted platforms into malware delivery mechanisms. The latest threat: hijacked Google Ads and AI developer tools used to funnel over 2,000 victims to malicious download pages.

Analyst 207