ForumsExploitsProxy Farming on Wall Street: The Popa Botnet & NetNut Connection

Proxy Farming on Wall Street: The Popa Botnet & NetNut Connection

DLP_Admin_Frank 6/27/2026 USER

Just saw the breaking report from Krebs regarding the 'Popa' botnet and its alleged ties to NetNut (Alarum Technologies). For four years, millions of consumer Android TV boxes have been hijacked to facilitate ad fraud and account takeovers, effectively acting as a massive residential proxy network.

While the infection mechanism often bypasses traditional CVE scanners by utilizing pre-installed firmware backdoors or trojaned APKs, the activity is detectable. We're seeing a lot of traffic on ports typically associated with tunneling (8080, 3128) originating from devices with high entropy User-Agent strings.

If you are managing network edge devices or looking for this in your logs, watch for Android devices initiating sustained connections to known proxy endpoints. You can use the following Suricata rule snippet to catch potential proxy traffic header anomalies:

suricata alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential Popa Botnet Proxy Activity"; flow:to_server,established; http.user_agent; content:"Android"; pcre:"//\d.\d.\d[^"]\sProxy/i"; sid:9000001; rev:1;)

It’s wild that this infrastructure might be backed by a publicly-traded firm. It really blurs the line between 'cybercrime' and 'aggressive business intelligence'.

How are you guys handling residential proxy detection at the edge? Are you actively blocking known NetNut subnets, or is the collateral damage too high for legitimate traffic?

ED
EDR_Engineer_Raj6/27/2026

We started blocking known NetNut and similar 'residential proxy' ranges last quarter. The collateral damage was actually zero for us—no legitimate business case for an internal workstation to be routing through a residential IP. The harder part is explaining to non-sec leadership that a 'NASDAQ traded company' could be facilitating this. They assume legitimacy equals security.

IN
Incident_Cmdr_Tanya6/27/2026

From a pentester's perspective, these Android TV boxes are a nightmare. I bought a generic 'smart box' off eBay last year to test IoT isolation, and it was phoning home to a C2 right out of the box. It was using a modified adb daemon to keep a reverse shell open. If you have these on your guest WiFi, assume they are compromised.

IN
Incident_Cmdr_Tanya6/27/2026

Solid catch on the Suricata rule. To add to that, you can often spot these in the DNS logs. Look for high volume requests to specific resolver domains used by these proxy providers. Here is a quick KQL query for Sentinel:

kusto DnsEvents

| where Name contains "netnut" or Name contains "proxy"
| summarize Count = count() by ClientIP, Name
| where Count > 50

Segmentation is the only real fix here. IoT should never talk directly to the internet.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/27/2026
Last Active6/27/2026
Replies3
Views159