
For the past four years, a massive Android-based botnet called Popa has been forcing millions of consumer TV boxes to route internet traffic associated with ad fraud, account takeover, and massive data scraping operations. Researchers from multiple cybersecurity firms have concluded that this botnet is directly linked to NetNut, a subsidiary of Alarum Technologies, a publicly traded Israeli company. NetNut operates as a 'residential proxy' provider, using real home devices to hide its clients' internet traffic. Unlike traditional botnets, the Popa botnet serves a specific purpose rather than engaging in destructive activities such as distributed denial-of-service (DDoS) attacks. This purpose is to establish a persistent communication layer to register devices, maintain long-term encrypted connections, and optionally open communication tunnels.
Security experts note that Popa is an add-on component associated with the Vo1d botnet, a widespread malware campaign targeting unofficial Android-based TV boxes. Sold under thousands of different brand and model names and easily found on popular e-commerce sites, these devices are often marketed with the promise of watching hundreds of subscription video services for a one-time upfront payment. However, as the FBI and cybersecurity experts have repeatedly warned, these streaming boxes often contain malware that unknowingly turns the user's television into a 'residential proxy.' This allows anyone to route internet traffic through the device as long as it remains plugged in and connected to the internet. Even more concerning is the fact that these proxy networks do not take adequate precautions to prevent malicious users from communicating with or compromising systems within the device owner's local network.
The first clues regarding the origins of the Popa botnet emerged in a report by the Chinese security company XLAB, which identified at least nine domain names used to record and direct the activities of compromised devices. The security firm Qurium, in a report published today, stated that it encountered some of the same domain names while investigating a series of destructive and costly data scraping events targeting its hosted organizations in May 2026. According to Qurium's research, this data scraping operation was distributed equally across more than 1.4 million internet addresses. The company stated that it found dozens of domain names, such as gmslb, safernetwork, tera-home, and ninjatech, which were synchronized across multiple IP addresses over time to control the Popa botnet. In in-depth investigations, the gmslb domain was found to be referenced in dozens of pirate or modified video content streaming applications, such as CRICFy, DooFlix, and RTS Tv.
According to Qurium's report, most of the long-used domain names employed to control the Popa botnet were seized or taken down in July following a partnership between Google, HUMAN Security, and Trend Micro to dismantle the Badbox 2.0 botnet, which is closely associated with Vo1d. Immediately after this operation, dozens of new domain names were registered and activated to rebuild the botnet's control mechanisms. However, it was revealed that one of the control domain names used during the setup process was not new, but rather the previously utilized ninjatech.io. The company Ninjatech was founded by Moishi Kramer, who, according to his LinkedIn profile, served as the Vice President of Research and Development at NetNut. Kramer's resume states that before the company was acquired by NetNut, he built this infrastructure from scratch, designed its architecture, and scaled the system.
Security researchers believe that the seized botnet infrastructure used hardware infected with malicious software to establish a massive proxy network. Company information available on the job search platform F6S confirms that Ninjatech's operations are clearly built around operating a proxy infrastructure. These connections demonstrate how deeply and intricately cybercrime operations can intertwine with publicly traded and seemingly legitimate companies. By infiltrating home networks through users' lack of awareness, these devices continue to pose serious threats to both individual privacy and corporate security. Experts continue to warn consumers against purchasing such suspicious and unlicensed broadcasting devices and advise them to stop using them.
この記事について質問
回答はこの記事のみからAIが生成します。