ForumsGeneralNetNut & Popa Takedown: The Risks of 'Legitimate' Residential Proxies

NetNut & Popa Takedown: The Risks of 'Legitimate' Residential Proxies

Threat_Intel_Omar 7/4/2026 USER

Just saw the breaking news regarding the FBI seizing NetNut and disrupting the Popa botnet. It’s a massive takedown, but it shines a harsh light on the "residential proxy" industry. When a publicly-traded company like Alarum is allegedly involved with a 2-million-device botnet, it proves how hard it is to distinguish between privacy tools and criminal infrastructure.

From a defensive perspective, these devices are tricky. The malware turns user endpoints into proxy nodes, meaning the traffic looks like legitimate HTTPS to the untrained eye. However, the volume and persistence are usually dead giveaways.

If you're hunting for similar activity in your environment, look for unsigned binaries maintaining persistent outbound connections on non-standard ports, or processes making high-volume connections to residential IP ranges.

Here is a basic KQL query to help hunt for suspicious processes initiating high volumes of outbound connections, which might indicate a device has been enrolled in a proxy botnet:

DeviceNetworkEvents
| where ActionType == "ConnectionInitiated"
| where RemotePort in (443, 80, 1080, 8080)
| where InitiatingProcessVersionInfoCompanyName != "Microsoft Corporation"
| summarize Count = count(), RemoteIPList = make_set(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| where Count > 500
| order by Count desc

The challenge is always balancing detection with false positives, given that many devs use local proxies for testing. How is everyone handling the detection of residential proxy usage on corporate endpoints? Are you strictly blocking residential IP ranges at the firewall, or relying on endpoint telemetry?

WI
WiFi_Wizard_Derek7/4/2026

Great topic. We actually saw a spike in this last quarter. The issue with just blocking residential IPs is that it breaks a lot of SaaS services that use cloud-fronts or CDNs with residential-looking ranges.

We've shifted focus to TLS fingerprinting (JA3/JA4). A lot of these proxy bots use malformed or generic TLS fingerprints that don't match standard browsers. If you see a 'Chrome' process connecting with a Python or Curl fingerprint, that’s your smoking gun.

DN
DNS_Security_Rita7/4/2026

I handle the SOC side for an MSP, and this is a nightmare for clients with remote workers. Often, the infection comes from 'free' VPN tools or download managers users install on personal devices that bridge the corporate network.

We've started adding heuristic checks for PowerShell or WMI executing unsigned binaries that reach out to the internet. This simple PowerShell snippet helps us find anomalous script execution that often precedes the proxy installation:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | 
Where-Object {$_.Message -match 'powershell.exe' -and $_.Message -match '-EncodedCommand'} | 
Select-Object TimeCreated, Message | Format-List
FI
Firewall_Admin_Joe7/4/2026

It's wild that Alarum is publicly traded (NASDAQ: ALAR) and still caught up in this. It really validates the 'if it's free, you're the product' mantra.

From a pentester's view, these residential proxies are gold for bypassing geo-blocks during recon, but the legal risk of using them is now through the roof. If the FBI is seizing the domains, the logs are likely next. I'd advise any red teams to scrub their histories if they were touching NetNut infrastructure recently.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/4/2026
Last Active7/4/2026
Replies3
Views60