Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
Summary
Hide ▲
Show ▼
The Popa botnet has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. The activity has persisted for four years, making it a long-lived proxy layer rather than a short burst of abuse. The scale increases the risk of traffic laundering, downstream misuse, and attribution confusion for affected sites and network defenders.
Related Happenings
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
How related:
Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes.
About this happening:
The **Vo1d** campaign continues to target **unofficial Android-based TV boxes**, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignHow related: Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes.
About this happening: The **Vo1d** campaign continues to target **unofficial Android-based TV boxes**, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes...
Broad Keitaro TDS abuse across more than 120 campaigns
Trend
H score33
First: 27.04.2026 09:33
Last: 27.04.2026 09:33
Sources 1
About this happening:
**Keitaro TDS** was abused by **more than 120 distinct campaigns** between **October 2025 and January 2026**, showing a broad recurring pattern of malicious link delivery and spam...
Broad Keitaro TDS abuse across more than 120 campaigns
TrendAbout this happening: **Keitaro TDS** was abused by **more than 120 distinct campaigns** between **October 2025 and January 2026**, showing a broad recurring pattern of malicious link delivery and spam...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
H score43
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Timeline
-
18.06.2026 20:37 2 articles · 2h ago
Popa botnet forcing consumer TV boxes to relay traffic
Initial DisclosureThe activity began as a persistent **Android botnet** layer on consumer TV boxes and developed into a large relay network for fraud and scraping. Its core function is to register devices, maintain encrypted connectivity, and open tunnels on demand.
Show sources
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm — krebsonsecurity.com — 18.06.2026 20:37
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm — krebsonsecurity.com — 18.06.2026 20:37