Executive Summary
In June 2026, cybersecurity researchers uncovered that the 'Popa' botnet, active for four years, had compromised millions of Android-based TV boxes, turning them into nodes for a residential proxy network. This network facilitated activities such as advertising fraud, account takeovers, and mass data scraping. Investigations linked the botnet to NetNut, a residential proxy provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd. The compromised devices, often marketed as offering free access to subscription services, were found to have pre-installed software that enrolled users' home internet connections into the proxy network without explicit consent.
This incident highlights the growing threat posed by malicious software embedded in consumer devices, particularly those offering 'free' services. The use of residential proxy networks for illicit activities underscores the need for consumers to exercise caution when purchasing and installing such devices. It also emphasizes the importance of regulatory scrutiny over companies providing proxy services to ensure they are not facilitating cybercriminal activities.
Why This Matters Now
The Popa botnet incident underscores the urgent need for consumers to be vigilant about the devices they bring into their homes, especially those promising free access to premium services. It also calls for increased regulatory oversight of companies offering proxy services to prevent their misuse in cybercriminal activities.
Attack Path Analysis
The Popa botnet infiltrated Android-based TV boxes through pre-installed or bundled software, establishing persistent encrypted connections to relay internet traffic for malicious activities. The malware maintained long-lived encrypted connections, allowing attackers to control the devices remotely. Compromised devices were utilized to route internet traffic, facilitating advertising fraud, account takeovers, and mass data-scraping efforts. The botnet's encrypted communication channels enabled attackers to exfiltrate data and execute commands without detection. The widespread use of compromised devices led to significant impacts, including service disruptions and unauthorized access to sensitive information.
Kill Chain Progression
Initial Compromise
Description
The Popa botnet infiltrated Android-based TV boxes through pre-installed or bundled software, establishing persistent encrypted connections to relay internet traffic for malicious activities.
MITRE ATT&CK® Techniques
Proxy Through Victim
Proxy
Acquire Infrastructure: Botnet
Application Layer Protocol
Exploitation for Client Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: Pillar 3: Devices
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Popa botnet compromises residential networks through ISP infrastructure, enabling unauthorized proxy traffic routing and potential lateral movement within telecommunications provider networks.
Entertainment/Movie Production
Streaming device malware targeting pirated content apps creates extensive proxy networks, facilitating copyright infringement and unauthorized content scraping activities.
Information Technology/IT
Corporate networks face residential proxy infiltration through employee devices, creating unauthorized external access points and complicating incident response attribution.
Financial Services
Banking sector vulnerable to account takeovers and fraud through residential proxy networks enabling anonymous malicious traffic routing and circumventing detection systems.
Sources
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firmhttps://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/Verified
- Alarum: NetNut to Introduce Revolutionary AI Data Collector Product Linehttps://www.nasdaq.com/press-release/alarum%3A-netnut-to-introduce-revolutionary-ai-data-collector-product-line-2024-02-21Verified
- NetNut to Launch Development of Innovative Web Data Collection Solutions in Cooperation with Team of Elite Intelligence Researchershttps://www.globenewswire.com/news-release/2023/06/27/2695302/0/en/netnut-to-launch-development-of-innovative-web-data-collection-solutions-in-cooperation-with-team-of-elite-intelligence-researchers.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the botnet's ability to establish persistent encrypted connections and reduced the scope of lateral movement, thereby constraining the attacker's reach and impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The botnet's ability to establish persistent encrypted connections may have been constrained, limiting its capacity to relay internet traffic for malicious purposes.
Control: Zero Trust Segmentation
Mitigation: Attackers' ability to maintain long-lived encrypted connections for remote control may have been limited, reducing their capacity to manage compromised devices.
Control: East-West Traffic Security
Mitigation: The botnet's ability to utilize compromised devices for routing internet traffic may have been constrained, limiting its capacity to facilitate advertising fraud and data-scraping.
Control: Multicloud Visibility & Control
Mitigation: Attackers' ability to exfiltrate data and execute commands without detection may have been limited, reducing the effectiveness of their command and control operations.
Control: Egress Security & Policy Enforcement
Mitigation: The botnet's ability to exfiltrate data through encrypted channels may have been constrained, limiting unauthorized data transfer.
The overall impact of the botnet, including service disruptions and unauthorized access to sensitive information, may have been reduced due to constrained attacker capabilities.
Impact at a Glance
Affected Business Functions
- Internet Service Provision
- Data Collection Services
- Residential Proxy Services
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of user IP addresses and associated network traffic data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict device communications and prevent unauthorized lateral movement.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, mitigating data exfiltration risks.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual device behaviors promptly.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect potential threats.
- • Apply Inline IPS (Suricata) to inspect and block malicious traffic patterns, enhancing overall network security.
