Threat IntelligenceEmerging Threats

Researchers Expose ProxySmart Software Behind Global SIM Farms

Analyst 207||Source: InfoSecMag
Cluttered server room with laptops, smartphones, and tangled cables, hint of a global map in the background.

Infrawatch found 87 instances of ProxySmart control panels in 17 countries and 94 phone farm locations, a footprint that the researchers say powers “SIM Farm as a Service” for operators around the globe.

Geography and scale: 94 phone farms, 19 US states, 17 countries

Infrawatch published its findings on April 21, reporting 87 ProxySmart control panels across 17 countries and 94 phone farm locations. The farms are located across 19 US states and in countries in Europe and South America. The firm ties the platform publicly to “a Belarus-based vendor footprint,” and says the platform’s reach and design help operators run mobile proxy infrastructure at commercial scale.

How ProxySmart is packaged and sold

According to the report, ProxySmart is marketed as a productised, turnkey platform for operating and monetizing physical SIM farms. “The platform is marketed as a turnkey solution rather than a tool intended only for highly technical operators,” Infrawatch wrote, noting public-facing materials advertise a web interface, API, remote access, documentation, and support. Pricing is tied to SIM count, and the system is typically self-hosted by farm operators with a reverse proxy placed in front of the control panel to disguise its location.

Technical mechanics: devices, protocols, and automation

Infrawatch details the stack used by ProxySmart. The platform supports two primary device types: physical smartphones enrolled via an unsigned Android APK downloaded from the operator’s site, and USB 4G/5G modems managed by the open-source ModemManager. Both device classes are orchestrated by a ProxySmart backend service Infrawatch observed to be “implemented in Python and heavily obfuscated by PyArmor.”

IP rotation is automated. The report describes a simple, repeatable technique: toggling airplane mode on and off for three seconds to force a cellular reconnection and obtain a reassigned egress IP. ProxySmart also supports multiple tunnelling and proxy protocols — OpenVPN, SOCKS5, VLESS, and HTTP — and includes an OS spoofing capability that lets operators “simulate other OS TCP fingerprints” such as macOS, iOS, Windows, and Android via the web panel.

Capabilities that enable large-scale evasion and abuse

Infrawatch summarizes the platform’s operational effects bluntly: ProxySmart provides device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures. Technical analysis “indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.”

The platform’s features materially lower the technical barrier to entry for reselling mobile proxy services: public materials and a complete end-to-end stack let non-specialist actors set up and operate farms, leading Infrawatch to conclude the ecosystem “materially lowers the barrier to operating and reselling mobile proxy infrastructure, with limited evidence of meaningful eligibility checks across many downstream providers.”

What this means for technologists, policymakers, and nation-states

  • Technologists and security teams: Network defenses that rely primarily on IP-based signals face blunt challenges. Infrawatch notes the “combination of carrier-grade NAT, rapid IP rotation, and multi-carrier availability reduces the effectiveness of IP-centric controls and complicates attribution at scale.” Security teams will need to account for remote device control and OS/TCP-fingerprint spoofing when assessing suspicious sessions.
  • Policymakers and regulators: A turnkey, commodity-style product with pricing tied to SIM count and self-hosting options foregrounds regulatory questions about how to detect and disrupt commercialized SIM-farm supply chains. Infrawatch highlights that the platform presents SIM-farm deployment as “a productised commercial setup rather than a specialist engineering effort,” which could influence how enforcement and oversight are structured.
  • Nation-states and information operations actors: The report explicitly notes SIM farms have been used for a range of illicit activity and that “the Russian authorities [have used them] to spread disinformation in Ukraine.” The scale and automation described by Infrawatch create repeatable, resellable capabilities that can be repurposed for smishing, fraud, bot sign-ups, one-time-password interception, and mass messaging campaigns.

Conclusion: a commodified capability that complicates attribution

Infrawatch’s assessment frames ProxySmart not as a niche engineering toolkit but as an industrialised service for managing and monetizing physical SIM infrastructure. Its combination of device orchestration, automated IP churn, protocol flexibility, and market-facing packaging means operators and resellers can scale mobile-proxy services with limited technical expertise. As the report observes, that combination reduces the efficacy of IP-centric controls and “complicates attribution at scale,” leaving defenders and policymakers with a concrete, operational challenge grounded in the platform’s technical design and its global footprint.

Original story

Emerging ThreatsNation-State ActorsSupply ChainSIM FarmProxysmartMobile Proxy InfrastructureBelarusGlobal TelecommunicationsTelecommunications Fraud
Related Intelligence

Continue Reading

Network equipment racks with Cisco device and cables, monitored by IT staff.

Cisco Vulnerabilities Targeted in String of Exploits

Hackers are actively exploiting a recently patched Cisco vulnerability, CVE-2026-20230, using a clever chain of attacks that can grant them root privileges on compromised devices. This alarming exploit activity was uncovered by threat-intel company Defused, highlighting the urgent need for robust security measures.

Analyst 207
Young man in courtroom with somber expression, laptop blurred in background.

DraftKings hacker sentenced to 18 months for $600,000 cyberattack

Meet Nathan Austad, a 21-year-old from Minnesota who pleaded guilty to masterminding a massive $600,000 cyberattack on DraftKings, compromising nearly 60,000 customer accounts with a clever alias and a crew of co-conspirators. He'll be serving 18 months for his role in the hack, which exploited weak passwords and left thousands of customers vulnerable.

Analyst 207
Network equipment and monitoring systems surround a central router in a typical operations room setting.

Mandiant Exposes Cisco SD-WAN Zero-Day Attacks' Root Access Methods

Cisco's SD-WAN system was exploited in active attacks using a high-severity flaw, allowing hackers to create a rogue root account and take full control of targeted devices. This vulnerability, tracked as CVE-2026-20245, was triggered through a simple tenant-upload feature in the command-line interface.

Analyst 207
Person looks concerned while interacting with fake Microsoft update on laptop at office desk.

Malicious Edge Extension Exploits Native Messaging for Malware Deployment

Beware of malicious Edge extensions that can deploy malware through native messaging, with attackers using social engineering tactics on Microsoft Teams to trick victims into installing fake updates. Once infected, victims are presented with a fake Outlook update page offering three options to deploy the Edgecution malware.

Analyst 207