Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
Summary
Hide ▲
Show ▼
The Vo1d campaign continues to target unofficial Android-based TV boxes, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes into relay nodes that can forward traffic for advertising fraud, account takeovers, and mass data-scraping. Researchers say the activity has persisted for four years and spans millions of devices. The scale and persistence make the campaign a broad abuse platform rather than a one-off botnet flare-up.
Related Happenings
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
How related:
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts.
About this happening:
The **Popa** botnet has forced **millions of consumer TV boxes** to relay Internet traffic linked to **advertising fraud**, **account takeovers**, and **mass data-scraping efforts...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityHow related: For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts.
About this happening: The **Popa** botnet has forced **millions of consumer TV boxes** to relay Internet traffic linked to **advertising fraud**, **account takeovers**, and **mass data-scraping efforts...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
H score38
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Broad Keitaro TDS abuse across more than 120 campaigns
Trend
H score33
First: 27.04.2026 09:33
Last: 27.04.2026 09:33
Sources 1
About this happening:
**Keitaro TDS** was abused by **more than 120 distinct campaigns** between **October 2025 and January 2026**, showing a broad recurring pattern of malicious link delivery and spam...
Broad Keitaro TDS abuse across more than 120 campaigns
TrendAbout this happening: **Keitaro TDS** was abused by **more than 120 distinct campaigns** between **October 2025 and January 2026**, showing a broad recurring pattern of malicious link delivery and spam...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
KadNap botnet turns ASUS routers into residential proxies
Malware Activity
H score23
First: 10.03.2026 17:01
Last: 10.03.2026 17:01
Sources 1
About this happening:
The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
KadNap botnet turns ASUS routers into residential proxies
Malware ActivityAbout this happening: The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
Timeline
-
18.06.2026 03:00 2 articles · 20h ago
Researchers link the Popa Android botnet to NetNut
Attribution UpdateResearchers linked the Popa Android botnet, a plugin component associated with Vo1d-style malware targeting unofficial Android-based TV boxes, to NetNut/Alarum Technologies and said the infrastructure has been used for advertising fraud, account takeovers, and mass data scraping. The analysis also pointed to control domains including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io, while Alarum Technologies disputed the characterization and said the SDKs are designed for bandwidth-sharing rather than malware control.
Show sources
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm — krebsonsecurity.com — 18.06.2026 20:37
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm — krebsonsecurity.com — 18.06.2026 20:37