Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
Summary
Hide ▲
Show ▼
Residential proxy traffic is increasingly evading IP reputation feeds, weakening source-based visibility into malicious edge activity. In a 4 billion-session measurement, 78% of residential-proxy-like sessions were invisible to reputation systems. The traffic appears across 683 ISPs and is used mostly for scanning and reconnaissance, not just exploitation. Defenders are being pushed toward behavior-based detection because rotating residential IPs age out of reputation lists quickly.
Related Happenings
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
China-nexus hijacked-device proxy network campaign
Campaign
H score43
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
Campaign
H score29
First: 03.02.2026 22:25
Last: 03.02.2026 22:25
Sources 1
About this happening:
A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
CampaignAbout this happening: A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
Timeline
-
02.04.2026 18:21 3 articles · 3mo ago
GreyNoise analysis shows residential proxies evade IP reputation feeds
Technical Analysis UpdateGreyNoise analysis of 4 billion malicious sessions targeting the edge over a three-month period found that residential proxies undermine IP reputation systems because the IPs are short-lived, systematically rotated, and often invisible to reputation feeds. Roughly 39% of the sessions appeared to come from home networks, the addresses spanned 683 internet service providers, and the traffic was used mostly for scanning and reconnaissance rather than exploitation. GreyNoise recommends behavior-based detection, sequential probing detection, blocking clearly illegitimate protocols such as SMB from ISP space, and device fingerprinting that survives IP rotation.
Show sources
- Residential proxies evaded IP reputation checks in 78% of 4B sessions — www.bleepingcomputer.com — 02.04.2026 18:21
- Residential proxies evaded IP reputation checks in 78% of 4B sessions — www.bleepingcomputer.com — 02.04.2026 18:21
- Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive — thehackernews.com — 16.06.2026 14:30