Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Target Trend
Summary
Hide ▲
Show ▼
Residential proxy traffic is increasingly evading IP reputation feeds, weakening source-based visibility into malicious edge activity. In a 4 billion-session measurement, 78% of residential-proxy-like sessions were invisible to reputation systems. The traffic appears across 683 ISPs and is used mostly for scanning and reconnaissance, not just exploitation. Defenders are being pushed toward behavior-based detection because rotating residential IPs age out of reputation lists quickly.
Related Happenings
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
Campaign
First: 03.02.2026 22:25
Last: 03.02.2026 22:25
Sources 1
About this happening:
A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
CampaignAbout this happening: A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
IPIDEA trojanized Android apps and Windows binaries enrolling devices into a proxy network
Malware Activity
First: 29.01.2026 21:29
Last: 29.01.2026 21:29
Sources 1
About this happening:
The **IPIDEA** proxy network used **trojanized Android apps** and **Windows binaries** to enroll consumer devices as proxy exit nodes, creating a large-scale traffic-routing threa...
IPIDEA trojanized Android apps and Windows binaries enrolling devices into a proxy network
Malware ActivityAbout this happening: The **IPIDEA** proxy network used **trojanized Android apps** and **Windows binaries** to enroll consumer devices as proxy exit nodes, creating a large-scale traffic-routing threa...
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
Campaign
First: 28.01.2026 15:15
Last: 28.01.2026 15:15
Sources 1
About this happening:
**Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
CampaignAbout this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Latest development: 29.01.2026 20:37
Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).
Kimwolf botnet expands through residential proxy abuse
Malware Activity
First: 02.01.2026 16:20
Last: 02.01.2026 16:20
Sources 1
About this happening:
The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Kimwolf botnet expands through residential proxy abuse
Malware ActivityAbout this happening: The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Latest development: 29.01.2026 19:15
Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.
Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
Campaign
First: 06.12.2025 17:18
Last: 06.12.2025 17:18
Sources 1
About this happening:
A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...
Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
CampaignAbout this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...
Timeline
-
02.04.2026 18:21 2 articles · 1mo ago
GreyNoise analysis shows residential proxies evade IP reputation feeds
Technical Analysis UpdateGreyNoise analysis of 4 billion malicious sessions targeting the edge over a three-month period found that residential proxies undermine IP reputation systems because the IPs are short-lived, systematically rotated, and often invisible to reputation feeds. Roughly 39% of the sessions appeared to come from home networks, the addresses spanned 683 internet service providers, and the traffic was used mostly for scanning and reconnaissance rather than exploitation. GreyNoise recommends behavior-based detection, sequential probing detection, blocking clearly illegitimate protocols such as SMB from ISP space, and device fingerprinting that survives IP rotation.
Show sources
- Residential proxies evaded IP reputation checks in 78% of 4B sessions — www.bleepingcomputer.com — 02.04.2026 18:21
- Residential proxies evaded IP reputation checks in 78% of 4B sessions — www.bleepingcomputer.com — 02.04.2026 18:21