Back to Intelligence

NetNut Botnet Takedown: Defending Against Android Proxy Malware

SA
Security Arsenal Team
July 5, 2026
5 min read

Introduction

A joint operation involving Google has successfully disrupted the NetNut residential proxy network, a criminal infrastructure that utilized approximately 2 million compromised devices. Unlike traditional botnets designed for DDoS or ransomware, NetNut specialized in "residential proxy" services, converting victim Android devices—including smart TVs and streaming boxes—into relay nodes for anonymizing third-party traffic. While the immediate command-and-control (C2) infrastructure has been dismantled, the underlying malware remains installed on millions of endpoints. Defenders must act immediately to identify these dormant agents and prevent reinfection by similar proxy-botnets like P2PProxy or GoIP.

Technical Analysis

Affected Products and Platforms:

  • Platform: Android OS (specifically older, unpatched versions prevalent in low-cost IoT).
  • Form Factors: Smart TVs, TV streaming boxes (set-top boxes), and mobile devices.

Attack Mechanics: The malware operates by embedding a proxy daemon (typically SOCKS5 or HTTP) within the Android device's user space. Once installed—often via trojanized sideloaded apps or supply-chain compromise in low-cost firmware—the agent connects to the NetNut C2 to receive relay instructions. The device then acts as a "residential" exit node, forwarding traffic from paying customers (often malicious actors or scrapers) to the internet.

The Defensive Gap: The primary challenge for SOCs is that the traffic often appears as standard HTTPS or SOCKS traffic originating from a legitimate internal IP. The device itself often suffers only performance degradation, keeping the infection below the user's radar.

Exploitation Status: While the specific NetNut C2 is disrupted, the binaries remain. Active exploitation of IoT devices for proxy purposes remains a high-volume, low-complexity revenue stream for threat actors.

Detection & Response

Sigma Rules

The following rules detect suspicious proxy-related process activity and network egress patterns consistent with residential proxy botnets on Linux/Android-based endpoints.

YAML
---
title: NetNut Proxy Botnet - Suspicious Proxy Process Activity
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of common proxy binaries or scripts often used by Android/IoT botnets to facilitate traffic relay.
references:
  - https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/proxy'
      - '/miniproxy'
      - '/3proxy'
      - '/tinyproxy'
    CommandLine|contains:
      - '-p'
      - '--port'
  condition: selection
falsepositives:
  - Legitimate administrative use of proxy utilities on developer workstations.
level: high
---
title: Suspicious High-Volume Egress Traffic from Non-Standard User Agents
id: 9b3c2d1e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Identifies network connections from IoT/Android devices to unknown external IPs utilizing high-bandwidth or suspicious user agents associated with proxy networks.
references:
  - https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1048
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationPort|between:
      - 8000
      - 9000
    DestinationPort|between:
      - 10000
      - 12000
  filter:
    DestinationHostname|endswith:
      - 'google.com'
      - 'googleapis.com'
      - 'android.com'
  condition: selection and not filter
falsepositives:
  - Legitimate streaming services on non-standard ports.
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for Android devices generating significant outbound traffic to non-corporate IPs, a hallmark of devices compromised for proxying.

KQL — Microsoft Sentinel / Defender
let HighRiskPorts = dynamic([8080, 1080, 3128, 8888, 9050, 10000, 15000]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess"
| where DeviceCategory in ("Android", "IoT", "Mobile")
| where RemotePort in (HighRiskPorts) or RemotePort between (10000 .. 20000)
| summarize TotalBytes = sum(SentBytes + ReceivedBytes), distinctRemoteIPs = dcount(RemoteIP) by DeviceName, RemoteIP
| where TotalBytes > 5000000 // > 5MB egress threshold
| where distinctRemoteIPs > 3
| project DeviceName, RemoteIP, TotalBytes, distinctRemoteIPs
| order by TotalBytes desc

Velociraptor VQL

Hunt for persistent proxy artifacts on Linux-based Android filesystems or rooted shells.

VQL — Velociraptor
-- Hunt for suspicious proxy binaries and init scripts
SELECT 
  FullPath,
  Size,
  Mode,
  Mtime,
  User
FROM glob(globs=["/data/local/tmp/proxy*", "/system/bin/proxy*", "/etc/init.d/*proxy*"])
WHERE Mode =~ "x"
   OR FullPath =~ "netnut"
   OR FullPath =~ "3proxy"

Remediation Script (Bash)

This script assists DFIR teams in identifying and killing active proxy processes on compromised Linux/Android shells.

Bash / Shell
#!/bin/bash
# Identify and kill common proxy malware processes associated with residential botnets

# Check for running proxy processes
PROCESSES=$(ps aux | grep -E 'mini|proxy|tunnel|privoxy|3proxy' | grep -v grep)

if [ -n "$PROCESSES" ]; then
  echo "[!] Suspicious proxy processes found:"
  echo "$PROCESSES"
  
  # Attempt to kill processes by name (Use with caution in production)
  echo "[*] Terminating PIDs..."
  ps aux | grep -E 'mini|proxy|tunnel|privoxy|3proxy' | grep -v grep | awk '{print $2}' | xargs -r kill -9
else
  echo "[+] No known proxy processes running."
fi

# Check for common persistence locations
MALICIOUS_PATHS=("/data/local/tmp/proxy" "/system/xbin/proxy" "/etc/cron.weekly/p.sh")
echo "[*] Checking for known malicious paths..."
for PATH in "${MALICIOUS_PATHS[@]}"; do
  if [ -f "$PATH" ]; then
    echo "[!] Found suspicious file at: $PATH"
  fi
done

Remediation

  1. Network Isolation: Immediately identify devices communicating with known NetNut infrastructure (see IOCs in related threat feeds) and isolate them at the switch level.

  2. Factory Reset: For IoT and Set-Top boxes, forensic analysis is often impractical. The most reliable remediation is a factory reset to clear non-standard partition infections.

  3. Firmware Updates: Ensure devices are updated to the latest firmware. Many Android-based IoT devices are rarely patched; if no patch exists for the OS version, decommission the device.

  4. Block High-Risk Ports: Implement firewall rules to block outbound traffic from IoT VLANs on ports commonly used for proxies (e.g., 1080, 8080, 3128) unless explicitly required.

  5. Application Control: Prevent the installation of sideloaded applications (APKs) on corporate-managed Android devices via Mobile Device Management (MDM) policies.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemnetnutandroid-botnetproxy-malwareiot-securitythreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.