Google says it has significantly disrupted the NetNut botnet, a massive residential proxy network that cybercriminals and espionage groups allegedly used to hide malicious activity online. Working alongside the FBI, Lumen Technologies, and other partners, the company targeted the infrastructure that controlled the network and estimates the operation affected a botnet spanning roughly 2 million internet-connected devices.

According to Google, the disruption represents another major effort to weaken the growing ecosystem of residential proxy services that enable cyberattacks.

Google Targets NetNut Command Infrastructure

The Google Threat Intelligence Group (GTIG) announced the operation on Thursday, explaining that it disabled Google accounts and services used to manage the NetNut botnet’s command-and-control infrastructure.

Google also shared technical intelligence about NetNut’s software development kits (SDKs) and backend systems with law enforcement agencies, technology companies, and cybersecurity researchers to support the broader investigation.

The latest action builds on Google’s January disruption of the IPIDEA residential proxy network.

During one week in June, GTIG identified 316 separate threat clusters using suspected NetNut exit nodes. Those groups included financially motivated cybercriminals as well as state-backed espionage operators.

Millions of Devices Powered the Residential Proxy Network

Google believes the operation relied on approximately 2 million devices spread across homes around the world.

By disabling access to Google services, the company says it significantly reduced the number of devices available to the proxy operator and disrupted its business operations.

Google also warned that NetNut’s infrastructure extends well beyond its own brand.

The service operates a reseller program that allows customers to white-label access to the network. As a result, multiple residential proxy providers may actually rely on the same underlying infrastructure while presenting themselves as independent companies.

Google expects the disruption to affect numerous services connected to the broader residential proxy ecosystem.

Why Residential Proxy Botnets Create Security Risks

Residential proxy services route internet traffic through ordinary consumer internet connections rather than traditional data centers.

Cybercriminals exploit those networks to disguise the true origin of malicious traffic, making attacks appear to come from legitimate residential IP addresses.

According to Google, operators typically expand these networks by embedding proxy software inside mobile apps or internet-connected consumer devices.

In some cases, users unknowingly install applications containing hidden proxy code. Other infected devices reportedly arrive with malware already installed before consumers purchase them.

GTIG says threat actors used the NetNut botnet to conceal their locations while conducting password spraying attacks and communicating with command-and-control infrastructure.

Researchers also linked components of the botnet to several other malware operations, including the previously disrupted BadBox 2.0 campaign that targeted low-cost Android devices and other consumer hardware.

Google Warns the Residential Proxy Market Continues to Grow

Although law enforcement and technology companies continue disrupting major proxy networks, Google believes the residential proxy industry is expanding rapidly.

The company says NetNut commonly spread through SDKs embedded in devices such as smart TVs and streaming boxes. Public reporting has also connected the operation to Mirai-based DDoS botnet infections.

Google advises users to avoid applications that promise payment in exchange for sharing unused internet bandwidth, as those offers often serve as a gateway for residential proxy malware.

The company also recommends downloading apps only from trusted stores, carefully reviewing permissions requested by VPN and proxy applications, and keeping built-in protections such as Google Play Protect enabled.

Google confirmed that Play Protect already blocks known applications containing NetNut SDKs and will continue preventing future installation attempts as new threats emerge.


0 responses to “Google and FBI Disrupt NetNut Botnet Built on Millions of Compromised Devices”