Popa botnet network visualization showing compromised Android devices connected through malicious proxy infrastructure

Popa Botnet Exposed: Critical 2026 Threat Alert

Posted on

Popa Botnet Exposed: What Australian Businesses Need to Know in 2026

The Popa botnet has been operating in plain sight for four years, secretly hijacking millions of Android TV boxes worldwide to conduct advertising fraud, account takeovers, and large-scale data scraping operations. This week, cybersecurity researchers delivered a bombshell revelation: the Popa botnet is directly linked to NetNut, a residential proxy service operated by Alarum Technologies Ltd, a publicly-traded Israeli company listed on NASDAQ under the ticker ALAR.

For Australian businesses relying on consumer IoT devices and residential network security, this discovery raises urgent questions about supply chain integrity and the hidden dangers lurking in everyday technology products.

What Is the Popa Botnet and How Does It Work?

The Popa botnet represents a sophisticated evolution in cybercriminal infrastructure. Unlike traditional botnets that target computers and servers, Popa specifically compromises Android-based streaming devices and TV boxes—products that millions of Australian households use daily for entertainment.

Once infected, these devices become unwitting participants in a massive proxy network. The botnet forces compromised devices to relay internet traffic, effectively masking the true origin of malicious activities. This technique, known as residential proxying, makes fraudulent traffic appear to originate from legitimate home networks.

Key Capabilities of the Popa Botnet

  • Advertising fraud: Generating fake ad impressions and clicks worth millions in stolen revenue
  • Account takeover attacks: Bypassing geographic security controls and rate limiting
  • Mass data scraping: Harvesting information from websites while evading detection
  • Traffic obfuscation: Making malicious traffic appear legitimate to security systems

Source: Krebs on Security – “Popa Botnet Linked to Publicly-Traded Israeli Firm” (June 23, 2026)

How Did Researchers Link Popa to Alarum Technologies?

Multiple independent security research firms collaborated to trace the Popa botnet’s infrastructure back to NetNut, a commercial residential proxy service. NetNut operates as a subsidiary of Alarum Technologies Ltd, giving the botnet an unprecedented connection to a legitimate, publicly-traded corporation.

The investigation revealed several critical findings:

  1. Network traffic from infected devices routed directly through NetNut’s infrastructure
  2. Command-and-control servers shared digital certificates and hosting patterns with NetNut operations
  3. The scale of the proxy network matched NetNut’s advertised residential IP pool size
  4. Timing correlations between botnet expansion and NetNut’s reported growth metrics

The Residential Proxy Business Model

Residential proxy services have legitimate uses, including market research, ad verification, and accessing geo-restricted content. However, the Popa botnet investigation reveals a darker reality: some providers may source their IP addresses through malware and compromised consumer devices without owners’ knowledge or consent.

Why Should Australian Businesses Be Concerned?

The Popa botnet poses several direct threats to Australian organisations, regardless of whether they use Android TV devices internally.

Direct Security Implications

  • Credential stuffing attacks: Account takeover attempts using residential IPs bypass traditional geographic blocking
  • Ad fraud losses: Marketing budgets wasted on fraudulent impressions generated through the botnet
  • Data integrity risks: Scraped business data could fuel competitive intelligence or further attacks
  • Network compromise: Infected devices on corporate networks create internal security gaps

Supply Chain and IoT Risks

Many Australian businesses have embraced smart TVs and streaming devices for digital signage, reception areas, and employee break rooms. These seemingly harmless devices could harbour the Popa botnet, providing attackers with a persistent foothold inside corporate networks.

If you’re concerned about IoT security in your organisation, consider engaging our vulnerability management services to identify and remediate compromised devices.

Actionable Recommendations for Protection

Defending against threats like the Popa botnet requires a multi-layered approach combining technical controls, policy updates, and ongoing vigilance.

Immediate Actions

  1. Audit all IoT devices on your network, including Android TV boxes and streaming devices
  2. Segment networks to isolate consumer-grade devices from critical business systems
  3. Monitor outbound traffic for unusual patterns indicating proxy activity
  4. Update firmware on all streaming devices and disable automatic app installation
  5. Implement DNS filtering to block known command-and-control domains

Long-Term Security Measures

  • Establish IoT procurement policies requiring security certifications
  • Deploy network detection and response (NDR) solutions to identify botnet behaviour
  • Conduct regular penetration testing focusing on IoT attack vectors
  • Train staff to recognise signs of compromised devices

For organisations requiring expert guidance, speak with our security team about developing a comprehensive IoT security strategy.

Frequently Asked Questions

What is the Popa botnet?

The Popa botnet is a large-scale network of compromised Android TV boxes and streaming devices that has operated since approximately 2022. It forces infected devices to relay internet traffic for malicious purposes, including advertising fraud, account takeovers, and data scraping. Researchers have linked it to NetNut, a residential proxy service owned by publicly-traded Alarum Technologies.

How can I tell if my devices are part of a botnet?

Signs of botnet infection include unusual network activity, slower device performance, unexpected data usage, and devices becoming warm when not actively in use. Network monitoring tools can detect suspicious outbound connections to known malicious infrastructure. Professional security assessments provide the most reliable detection method.

How can Australian businesses protect against residential proxy attacks?

Businesses should implement multi-factor authentication, behavioural analytics for login attempts, and device fingerprinting beyond IP-based controls. Since residential proxies make malicious traffic appear legitimate, traditional IP reputation systems alone are insufficient. Advanced bot management solutions can identify proxy traffic patterns regardless of source IP addresses.

Key Takeaways

  • The Popa botnet has compromised millions of Android TV devices globally over four years
  • Security researchers have linked the botnet to Alarum Technologies Ltd (NASDAQ: ALAR) through its NetNut subsidiary
  • Infected devices conduct advertising fraud, account takeovers, and data scraping operations
  • Australian businesses face risks from both direct attacks and potentially compromised IoT devices
  • Protection requires network segmentation, traffic monitoring, and comprehensive IoT security policies

Conclusion

The Popa botnet revelation represents a watershed moment in cybersecurity—the first documented case linking a major botnet operation to a publicly-traded company. For Australian businesses, this discovery underscores the critical importance of treating every connected device as a potential security risk.

As IoT adoption continues accelerating, organisations must evolve their security postures beyond traditional endpoint protection. The Popa botnet demonstrates that attackers will exploit any available pathway, even seemingly innocuous entertainment devices, to achieve their objectives.

Taking proactive steps today—auditing devices, segmenting networks, and implementing robust monitoring—can prevent your organisation from becoming an unwitting participant in the next major botnet operation.

Tagged , , , , , .