Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Google and FBI Disrupt NetNut Proxy Network Exploiting Devices

Google and FBI Disrupt NetNut Proxy Network Exploiting Devices

Posted on July 3, 2026 By CWS

In a significant cybersecurity operation, Google has collaborated with the FBI, Lumen Technologies, and other partners to dismantle the NetNut residential proxy network. This network, also known as “Popa,” is believed to have compromised at least two million home devices globally.

Google’s Measures Against NetNut

Google has taken decisive action by disabling Google accounts and services that were exploited by NetNut for malware command-and-control activities, which breached Google’s Terms of Service. In addition, Google shared crucial technical intelligence on NetNut’s software development kits (SDKs) and command-and-control infrastructure with law enforcement and other technology providers to bolster enforcement efforts across the ecosystem.

Further measures included updating Google Play Protect to automatically warn users and disable apps containing NetNut SDKs, thus enhancing security against future threats on Android devices. This move follows Google’s previous efforts in January 2026 to disrupt the IPIDEA proxy network, underscoring a continued commitment to tackling malicious proxy operators.

Investigative Findings on NetNut Operations

Independent investigations by KrebsOnSecurity have directly linked the Popa botnet to NetNut, a subsidiary of the Israeli firm Alarum Technologies Ltd. The Popa botnet functions within the larger Vo1d botnet, specifically targeting unofficial Android-based TV boxes with pirated apps. Qurium, a security firm, traced the control infrastructure of Popa to domains connected to a former NetNut executive, although he denies current involvement.

Analysis by proxy-tracking firm Synthient revealed that outbound traffic from Popa’s SDKs conclusively ties to NetNut clients. Despite Alarum Technologies contesting the botnet label, proxy-tracking service Spur highlighted a lack of robust corporate verification within NetNut’s operations, allowing easy procurement of proxy access.

Broader Implications and Industry Response

According to Lumen’s Black Lotus Labs, the Popa botnet utilizes around 1.5 to 2.5 million IP addresses daily, managed by approximately 250-300 controller domains. This makes it one of the most widely resold proxy networks in cybercrime. Nokia Deepfield researchers suggest that the actual number of devices involved could be significantly higher.

Google’s Threat Intelligence Group observed multiple threat clusters, including cybercriminal and espionage groups, utilizing NetNut’s infrastructure for malicious activities. The infiltration often occurs through pre-installed malware or hidden SDKs in free apps, posing risks to other devices on the same network.

Google advises consumers to avoid apps that offer compensation for unused bandwidth and to ensure devices are certified by Play Protect before purchase. The company emphasizes the interconnected nature of the residential proxy industry, where operators often resell capacity, and calls for continued industry collaboration to combat these threats effectively.

In conclusion, this operation marks another step in Google’s strategy to disrupt harmful proxy networks by enhancing cross-industry intelligence sharing and coordinated blocking of malicious infrastructures.

Cyber Security News Tags:Alarum Technologies, cyber threat, Cybercrime, Cybersecurity, FBI, Google, Google Play Protect, Malware, NetNut, Popa botnet, proxy network, residential proxy, SDK

Post navigation

Previous Post: Hackers Exploit VLC to Deploy ValleyRAT Malware

Related Posts

Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Cyber Security News
How Malicious AI Hijacks Victim Agents How Malicious AI Hijacks Victim Agents Cyber Security News
New GhostPairing Attack Let Attackers Gain Full Access in WhatsApp with Phone Number New GhostPairing Attack Let Attackers Gain Full Access in WhatsApp with Phone Number Cyber Security News
Chinese Silk Typhoon Hackers Filed 10+ Patents for Highly Intrusive Hacking Tools Chinese Silk Typhoon Hackers Filed 10+ Patents for Highly Intrusive Hacking Tools Cyber Security News
Critical Open WebUI Flaw Enables Easy RCE Attacks Critical Open WebUI Flaw Enables Easy RCE Attacks Cyber Security News
Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Google and FBI Disrupt NetNut Proxy Network Exploiting Devices
  • Hackers Exploit VLC to Deploy ValleyRAT Malware
  • Critical Vulnerability in Claude Cowork Sandbox Exposed
  • Ousaban Malware Targets Iberian Banks with Phishing PDFs
  • Ransomware Groups Exploit Citrix Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Google and FBI Disrupt NetNut Proxy Network Exploiting Devices
  • Hackers Exploit VLC to Deploy ValleyRAT Malware
  • Critical Vulnerability in Claude Cowork Sandbox Exposed
  • Ousaban Malware Targets Iberian Banks with Phishing PDFs
  • Ransomware Groups Exploit Citrix Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark