Back to Intelligence

NetNut Proxy Botnet Disruption: Defending Against Residential IP Abuse

SA
Security Arsenal Team
July 2, 2026
6 min read

This week, the Google Threat Intelligence Group (GTIG), in coordination with the FBI and Lumen, announced a significant blow to the "NetNut" (also tracked as Popa) residential proxy network. By degrading the network's pool of usable devices by millions, defenders have been given a temporary reprieve—but the underlying vulnerability remains.

The attack vector here is not a sophisticated zero-day in the traditional sense, but rather the commodification of trust. Attackers compromise home routers and IoT devices—often via default credentials or unpatched firmware—to turn them into residential relays. This allows malicious actors to launder their traffic, making ransomware operations, credential stuffing, and web scraping appear as legitimate residential traffic from ISP blocks like Comcast or Verizon.

With 2 million devices previously ensnared, your SOC must assume that a portion of your remote workforce's home networks or your organization's edge IoT infrastructure is currently part of a similar proxy network. This post details how to detect if your devices are acting as unwilling relays and how to harden them against future recruitment.

Technical Analysis

Threat Profile: NetNut / Popa Residential Proxy Botnet Affected Platforms: Home Routers (SOHO), IoT Devices, Misconfigured Windows/Linux Endpoints Infection Vector: Weak/default credentials, unpatched firmware vulnerabilities, malicious browser extensions or bundled software.

Mechanism of Action: Once a device is compromised, the threat actor deploys a lightweight proxy agent (often running as a hidden process or a modified firmware service). This agent listens on high-numbered ports (typically 8080, 3128, or random dynamic ports) and accepts forwarded HTTP/SOCKS traffic from the botnet controller.

The device then acts as a "hop," forwarding requests to the final target. Because the source IP is a residential ISP, the traffic bypasses standard IP-reputation blocklists that typically flag data center traffic. This "trust exploitation" is highly valuable for adversaries conducting brute-force attacks or evading fraud detection.

Exploitation Status: While Google has disrupted the command and control (C2) infrastructure associated with NetNut, the infected devices remain vulnerable. Until the malware is removed and credentials reset, these devices can be re-enlisted into new proxy networks immediately.

Detection & Response

Detecting a compromised device acting as a proxy requires identifying behavioral anomalies: specifically, a workstation or router acting as a server (initiating many outbound connections to diverse destinations) or listening on non-standard proxy ports.

SIGMA Rules

YAML
---
title: Potential Residential Proxy Agent Execution
id: 8a4b3c2d-1e0f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects execution of common proxy binaries or unsigned binaries often used in residential proxy botnets on Linux/Unix systems.
references:
 - https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
author: Security Arsenal
date: 2026/07/08
tags:
 - attack.command_and_control
 - attack.t1071.001
logsource:
 category: process_creation
 product: linux
detection:
 selection:
 Image|endswith:
   - '/3proxy'
   - '/tinyproxy'
   - '/polipo'
   - '/shadowsocks'
   - '/v2ray'
   - '/xray'
   - '/trojan'
 condition: selection
falsepositives:
 - Legitimate administrative use of proxy software
level: high
---
title: Suspicious High-Volume Outbound Relay Traffic
id: 9c5d4e3f-2f1a-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Identifies endpoints initiating connections to a high number of unique external IPs, characteristic of a proxy relay node.
references:
 - https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
author: Security Arsenal
date: 2026/07/08
tags:
 - attack.command_and_control
 - attack.t1090
logsource:
 category: network_connection
 product: windows
detection:
 selection:
 Initiated: true
   | count() by SourceIp > 50
 timeframe: 5m
 condition: selection
falsepositives:
 - Heavy update processes
 - P2P applications (BitTorrent)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for devices exhibiting proxy-like behavior: high entropy in destination IPs
let TimeWindow = 1h;
let Threshold = 100;
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where ActionType == "ConnectionInitiated" 
| summarize DistinctIPCount = dcount(RemoteIP), TotalConnections = count() by DeviceName, SrcIpAddr
| where DistinctIPCount > Threshold
| order by DistinctIPCount desc
| project DeviceName, SrcIpAddr, DistinctIPCount, TotalConnections

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes listening on non-standard high ports indicative of proxy agents
SELECT Pid, Name, Exe, CommandLine, Username
FROM listen_sockets()
WHERE Port > 1024
   AND NOT Family =~ 'UNIX'
   AND NOT Name =~ 'svchost.exe'
   AND NOT Name =~ 'System'
   AND NOT Name =~ 'node'
   AND NOT Name =~ 'chrome'
   AND NOT Name =~ 'firefox'

Remediation Script (PowerShell)

PowerShell
# Script to detect and disable common proxy services on Windows endpoints
# Requires Administrator privileges

Write-Host "Checking for suspicious proxy services..." -ForegroundColor Cyan

# Get services with 'Proxy' in the name or path that are not standard Microsoft services
$suspiciousServices = Get-WmiObject Win32_Service | Where-Object { 
    ($_.Name -like '*proxy*' -or $_.PathName -like '*proxy*') -and 
    $_.PathName -notlike '*C:\Windows*' -and 
    $_.State -eq 'Running'
}

if ($suspiciousServices) {
    Write-Host "[ALERT] Found running non-standard proxy services:" -ForegroundColor Red
    $suspiciousServices | Format-List Name, DisplayName, PathName, State
    
    # Attempt to stop and disable
    foreach ($svc in $suspiciousServices) {
        try {
            Stop-Service -Name $svc.Name -Force -ErrorAction Stop
            Set-Service -Name $svc.Name -StartupType Disabled -ErrorAction Stop
            Write-Host "Stopped and disabled service: $($svc.Name)" -ForegroundColor Yellow
        } catch {
            Write-Host "Failed to stop service $($svc.Name): $_" -ForegroundColor Red
        }
    }
} else {
    Write-Host "No suspicious proxy services detected." -ForegroundColor Green
}

# Check for WinINET/Proxy settings modifications (Non-Standard)
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
$proxyServer = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).ProxyServer
$proxyEnable = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).ProxyEnable

if ($proxyEnable -eq 1 -and $proxyServer) {
    Write-Host "[WARN] System Proxy is enabled: $proxyServer" -ForegroundColor Yellow
    Write-Host "Verify if this is authorized corporate configuration." -ForegroundColor Yellow
}

Remediation

Immediate action is required if devices are identified as part of this or similar botnets:

  1. Factory Reset for Routers/IoT: For SOHO routers and IoT devices, a simple malware removal is often insufficient. Perform a factory reset to clear non-volatile memory where the malware may persist.
  2. Credential Hardening: Upon reset, change the default administrator password immediately. Use a high-entropy passphrase (16+ characters).
  3. Firmware Updates: Ensure the device is running the latest firmware version. Check the vendor's security advisories for patches related to remote code execution (RCE) or authentication bypass.
  4. Disable Remote Management: Turn off UPnP and remote administration (WAN access) from the router's web interface. These are the primary vectors for initial infection.
  5. Network Segmentation: Isolate IoT devices on a separate VLAN (Guest Network) to prevent lateral movement from a compromised smart TV to a corporate laptop.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionnetnutproxy-botnetiot-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.