{"id":3754,"date":"2026-06-18T18:03:52","date_gmt":"2026-06-18T18:03:52","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/"},"modified":"2026-06-18T18:03:52","modified_gmt":"2026-06-18T18:03:52","slug":"popa-botnet-linked-to-publicly-traded-israeli-firm","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/","title":{"rendered":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm"},"content":{"rendered":"
\n

For the past four years, a sprawling Android-based botnet called Popa<\/strong> has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut<\/strong>, a \u201cresidential proxy\u201d provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd <\/strong>[NASDAQ: ALAR].<\/p>\n

\"Malicious<\/p>\n

Malicious streaming devices sold online that enroll the user\u2019s home Internet address in a residential proxy service. Image: HUMAN Security.<\/p>\n<\/div>\n

Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.<\/p>\n

Experts say Popa is a plugin component associated with the Vo1d<\/strong> botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, which are marketed under thousands of brand names and model numbers and broadly available for purchase at top e-commerce destinations, all advertise the ability to stream hundreds of subscription video services for an up front one-time fee.<\/p>\n

But as the FBI and security industry experts have warned repeatedly, these streaming boxes typically bundle or come pre-installed with software<\/a> that turns the user\u2019s TV into a \u201cresidential proxy<\/a>\u201d \u2014 allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network. More concerning, some of these proxy networks do little to stop malicious customers from communicating with and even compromising systems on the local network of the unsuspecting device owner.<\/p>\n

The first clues about Popa\u2019s origins came in a 2025 report<\/a> from the Chinese security company XLAB<\/strong>, which flagged at least nine domain names that were used to register and direct the activities of compromised devices. In a report<\/a> released today, the security firm Qurium<\/strong> described how it stumbled on some of those same domains while investigating a series of disruptive and expensive data scraping events targeting the company\u2019s hosted organizations in May 2026, in which the scraping activity was scattered evenly across more than 1.4 million Internet addresses.<\/p>\n

Qurium said it found several dozen domains used to control Popa that were all hosted in lockstep across multiple Internet addresses over time, including gmslb[.]net<\/strong>, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io<\/strong>. Digging deeper, Qurium discovered gmslb[.]net was referenced in dozens of pirated or modded video content streaming apps, such as CRICFy<\/strong>, DooFlix<\/strong>, Sprozfy<\/strong>, RTS Tv<\/strong>, Flixoid<\/strong>, CyberFlix<\/strong>, Rapid Streamz<\/strong>, TvMob<\/strong> and HD\/OceanStreams<\/strong>.<\/p>\n

Qurium\u2019s report notes that most of the domains long used to control the Popa botnet were seized or dismantled in July 2025<\/a>, after Google<\/strong>, HUMAN Security<\/strong> and Trend Micro<\/strong> teamed up to disrupt Badbox 2.0<\/strong>, a botnet that is closely associated with Vo1d. Qurium said that immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet, but that one of those control domains was not new: ninjatech[.]io<\/strong>.<\/p>\n

Ninjatech is a company founded by Moishi Kramer<\/strong>, whose LinkedIn profile<\/a> says he is vice president of research and development at NetNut. That resume credits Kramer for helping NetNut to build from the \u201cground up,\u201d \u201cdesigning the architecture,\u201d and \u201cscaling the NetNut\u201d before the company was acquired by Alarum Technologies. A self-created listing at the job board F6S<\/strong> references Kramer<\/a> as the sole owner of the Ninjatech domain (a screen capture of it is pictured below).<\/p>\n

\"\"<\/p>\n

Image: F6S.com.<\/p>\n<\/div>\n

Responding via email, Mr. Kramer said Ninjatech ceased operations approximately five years ago, when the company sold a software development kit (SDK) called Popa that was designed to use a small portion of a device\u2019s bandwidth and to run only after the host application obtained user consent.<\/p>\n

\u201cThat code was sold and licensed to third parties including resellers years ago,\u201d Kramer said. \u201cOnce software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it.\u201d<\/p>\n

Kramer said neither he nor NetNut builds, operates or maintains the infrastructure being described as Popa, nor does he control the Ninjatech domain.<\/p>\n

\u201cI didn\u2019t register the June 2025 domains you mention, and I don\u2019t know who did,\u201d he continued. \u201cI have no control over, or visibility into, that infrastructure. I can only tell you it isn\u2019t operated by me or by NetNut.\u201d<\/p>\n

But in a separate Popa research report<\/a> released today, the proxy-tracking company Synthient<\/strong> said a recent analysis of the Popa SDK revealed outbound traffic clearly associated with NetNut.<\/p>\n

\u201cThe research team assesses with high confidence that devices running Popa forward traffic from Netnut clients,\u201d Synthient wrote. \u201cThis proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.\u201d<\/p>\n

\"\"<\/p>\n

Synthient\u2019s platform receiving outbound traffic from Popa. Image: Synthient.com.<\/p>\n<\/div>\n

Alarum Technologies, NetNut\u2019s Tel Aviv-based parent company, said the reports by Synthient and Qurium contained \u201cdemonstrably inaccurate assertions and flawed deductions rather than verified facts.\u201d Alarum shared a statement saying they reject the basic characterization of the SDKs and technologies discussed in the reports as a \u201cbotnet.\u201d<\/p>\n

\u201cThe SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate,\u201d the statement reads. \u201cNetnut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services.\u201d<\/p>\n

Alarum said NetNut places \u201csignificant emphasis on appropriate notice and consent mechanisms, conducts customer due diligence, monitors for potential misuse, and takes steps intended to detect and mitigate suspicious or unauthorized activity.\u201d<\/p>\n

\u201cThis method of operation is supported both by internal procedures and policies, including performing KYC checks and additional due diligence of NetNut\u2019s customers, as well as employing various technological measures, designed to assist in identifying and addressing suspected misuse of the network,\u201d their statement continued.<\/p>\n

However, in a report released on June 8, the proxy tracking service Spur<\/strong> asserted that NetNut does not require corporate verification or meaningful \u201cknow your customer\u201d procedures before allowing customers to purchase proxy access.<\/p>\n

\u201cAn individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in,\u201d Spur wrote<\/a>. \u201cThe \u2018verified corporations only\u2019 claim is simply marketing for bandwidth sellers, not an access control on who actually uses the proxies.\u201d<\/p>\n

\u201cNor is NetNut the only front door,\u201d Spur continued. \u201cA number of downstream white labelers and resellers repackage the same ISP proxy pool under their own brands. These outlets typically perform no KYC at all, less scrutiny than NetNut itself, who at the very least might assign an account manager to potential users. Anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto.\u201d<\/p>\n

Synthient found that although the most recent builds of Popa (as of three months ago) have added the ability to ask the user for consent before installing proxy components, not all variants or previous versions of Popa contain this functionality.<\/p>\n

\u201cOf the over 20 genuine Popa publishers analyzed, none of them were observed asking for user consent,\u201d Sythient wrote.<\/span><\/p>\n

THE PREVALENCE OF POPA<\/h2>\n

Chris Formosa<\/strong> is senior lead information security engineer for Black Lotus Labs<\/strong>, a division of the Internet backbone carrier Lumen Technologies<\/strong>.<\/p>\n

\u201cWhat especially makes Popa dangerous is just how widely used NetNut is for reselling and sharing,\u201d Formosa said, explaining that many other proxy services simply resell NetNut proxies rather than building out their own far-flung proxy networks. \u201cSo these Popa IPs appear in tons of different services all over the ecosystem, which makes it one of the most problematic and dangerous proxy botnets on the market currently.\u201d<\/p>\n

Formosa said the Popa botnet averages between 1.5 million to 2.5 million distinct IP addresses each day, relying on between 250 and 300 Internet addresses that are used to direct its activities.<\/p>\n

\u201cThat\u2019s why Popa is so dangerous,\u201d Formosa said. \u201cIt may not be the largest botnet we have seen, but it is spread all over the industry, making its power very amplified.\u201d<\/p>\n

Formosa said while that makes Popa one of the larger botnets out there today, its numbers pale in comparison to those previously boasted by IPIDEA<\/a>, a China-based proxy provider that until recently operated a daily pool of nearly 10 million devices that they resold as proxies to anyone. In January 2026, Synthient published research<\/a> showing that multiple new large DDoS botnets had grown rapidly by tunneling through IPIDEA proxies into the local networks of unsuspecting TV box owners and infecting other Android-based devices behind the user\u2019s firewall.<\/p>\n

IPIDEA is based largely on SDKs used to view pirated streaming content on a vast number of TV box devices, but the service\u2019s numbers have dwindled since January, when Google and industry partners took legal action<\/a> to seize domain names that IPIDEA used to control devices and proxy traffic through them.<\/p>\n

J\u00e9r\u00f4me Meyer<\/strong>, a security researcher at Nokia Deepfield<\/strong>, said the total population of devices participating in the Popa botnet may be far higher than Lumen\u2019s estimates. Meyer told KrebsOnSecurity that Nokia is monitoring 26 of at least 359 known relay nodes for the botnet, and estimates that each relay node handles between 35,000 and 60,000 clients simultaneously.<\/p>\n

\u201cOn the relay node subset I am looking at (26 of them), 750,000 unique sources in 24 hours,\u201d Meyer wrote in response to questions.<\/p>\n

Nokia Deepfield released its own report today<\/a> on RoboVPN<\/strong>, a VPN app tied to the Vo1d botnet\u2019s Popa plugin that Qurium attributes to NetNut\/Alarum Technologies.<\/p>\n

THE SYMBIOSIS OF PROXIES AND DATA SCRAPING<\/h2>\n

Experts say many of the world\u2019s largest proxy providers have updated their public-facing branding to highlight their utility for training AI platforms, implying it is a primary use case for their residential proxies. That\u2019s because AI services tend to rely on constantly mass-scraping the Internet for new text, images and video content that can be used to train large language models (LLMs).<\/p>\n

\"\"<\/a><\/p>\n

NetNut and other proxy services have recast themselves as critical infrastructure for the AI scraping economy. Image: Synthient.com.<\/p>\n<\/div>\n

\u201cAI companies depend on web-scraped content: for pre-training, for retrieval, for agent grounding, for search,\u201d reads a report<\/a> this month from Include Security<\/strong> that examines the prevalence of proxy SDKs in smart TV apps. \u201cBut the modern web isn\u2019t scrapeable from a datacenter. Cloudflare, DataDome, HUMAN, among others throttle or block requests from known cloud IPs. The workaround is residential proxies. A scraping job routed through a Comcast or T-Mobile subscriber\u2019s connection arrives at the target site from an IP that belongs to a paying residential customer.\u201d<\/p>\n

This non-stop content scraping has spawned more than 70 copyright infringement lawsuits<\/a> against major tech companies that have acknowledged large-scale data scraping as a major source of the \u201cbrains\u201d behind their commercial AI offerings. Ironically, much of that scraping is being aided by proxy services that are intimately tied to unofficial Android TV boxes and associated SDKs whose stated purpose is streaming pirated content.<\/p>\n

The scraping activity has become so aggressive that it often overwhelms the targeted websites, preventing them from being reachable by legitimate visitors. In many reported cases, nonprofit organizations, libraries and universities have complained of constantly battling to keep their services online in the face of relentless data-scraping firms hiding behind residential proxy services.<\/p>\n

A survey conducted last year by the Confederation of Open Access Repositories<\/strong> (COAR) found<\/a> while some content scraping bots are rather innocuous, \u201cothers are sufficiently aggressive that they are increasingly causing service disruptions in repositories and other scholarly communications infrastructures.\u201d More than 90 percent of survey respondents indicated their repository is encountering aggressive bots, usually more than once a week, and often leading to slow downs and service outages.<\/p>\n

\u201cAutomated web scraping is nothing new, and has been the key technology underlying search engines such as Google for over 30 years,\u201d wrote<\/a> Brendan O\u2019Connell<\/strong>, platform manager at the Directory of Open Access Journals<\/strong> (DOAJ), a free, community-curated index of peer-reviewed academic journals. \u201cHowever, the current investor-fueled AI startup craze means there are now thousands of well-funded companies developing and deploying their own scraping tools to train AI models, alongside existing major players like OpenAI and Google.\u201d<\/p>\n

DON\u2019T TOUCH THAT DIAL!<\/h2>\n

Across the United States, local communities are pushing back against the proliferation of new data centers aimed primarily at improving the capabilities of AI. But security experts say the general public remains largely unaware that using one of these unsanctioned Android TV boxes means their \u201csmart TV\u201d is almost certainly using a significant amount of bandwidth each month to help train modern AI models.<\/p>\n

Even households without these sketchy TV boxes can still have their smart TVs turned into residential proxy nodes, just by downloading one of thousands of apps made available on Samsung<\/strong> and LG<\/strong> smart TVs. Spur said it recently scraped the LG and Samsung app stores and found that each had approximately 3,000 apps available for download. Many of these apps are simple games or utilities that state in the fine print that the user\u2019s Internet connection will be used to download data and that they can opt out at any time.<\/p>\n

Spur said it found that\u00a0more than 42 percent of apps available for download via the webOS<\/strong> operating system on LG<\/strong> smart TVs include SDKs that turn one\u2019s television into an always-on residential proxy node. <\/em>More than a quarter of the apps made for Samsung\u2019s Tizen<\/strong> operating system had similar residential proxy components, Spur found.<\/p>\n

\"\"<\/a><\/p>\n

Image: Spur.us.<\/p>\n<\/div>\n

Experts say it\u2019s questionable whether TV apps with proxy SDKs can obtain meaningful consent from users for installing an always-on proxy connection, particularly when anyone in a household \u2014 including children \u2014 can effectively opt the family TV into a residential proxy network just by installing a simple game or app.<\/p>\n

\u201cPrivacy-policy disclosure is the wrong control surface for a TV,\u201d Include Security wrote. \u201cIt is hard to scroll through a legal document navigated by arrow keys on a remote, and the in-app consent dialog doesn\u2019t convey that a paying customer is about to route their scraping traffic through the user\u2019s home internet.\u201d<\/p>\n

Spur\u2019s head of research Sean Simmons<\/strong> told KrebsOnSecurity that most people do not have a working mental model for what it means to sell access to their residential IP address, no matter what device they are using.<\/p>\n

\u201cAnd on a TV, the gap is even wider,\u201d Simmons said. \u201cA one-time prompt navigated with a remote can disappear into the setup flow, while the app keeps monetizing the connection long after anyone remembers what they accepted.<\/p>\n

Simmons said LG and Samsung should follow the lead of other TV platforms that have already drawn a line against residential providers, pointing to policies by Amazon<\/strong> that prohibit apps facilitating proxy services for third parties. Likewise the TV streaming device maker Roku<\/strong> reportedly now bars developers from using proxy SDKs and has removed apps that bundled them.<\/p>\n

\"\"<\/p>\n

Piracy related apps pushing proxy SDKs onto unconsenting users. Image: Synthient.<\/p>\n<\/div>\n

Apps that turn one\u2019s device into a residential proxy node are not limited to smart TVs and no-name streaming boxes, of course. As noted by the security firm Infoblox<\/strong>, mobile app developers can embed SDKs provided by the residential proxy networks into their products to monetize their software, allowing them to receive a small amount of money on each installation.<\/p>\n

The result, Infoblox said, is that devices are frequently enrolled without the owner\u2019s knowledge, typically through free applications such as VPNs, streaming apps, screensavers and \u201cproductivity\u201d apps such as PDF viewers and break reminders.<\/p>\n

All too often, these proxy services are beaconing out from employee devices brought into the workplace, Infoblox found. In a blog post earlier this month, Infoblox said it discovered that fully 65% of its customer base was querying one or more residential proxy related domains.<\/p>\n

\u201cWe saw steady growth in these queries in 2025, with a 25% increase over the year to over 500 billion per month,\u201d Infoblox wrote<\/a>. \u201cOver 90% of our pharmaceutical and food & beverage customers have queried residential proxy indicators. Perhaps even more concerning is that over 60% of government and banking customers have as well.\u201d<\/p>\n

Infoblox researchers Nick Sundvall<\/strong> and David Brunsdon<\/strong> warned that with residential proxies in the corporate environment, external access is granted to an organization\u2019s IP space.<\/p>\n

\u201cIf threat actors were to abuse the residential proxy to attack a third party, the third party\u2019s incident response would, correctly, identify your residential proxy as the source,\u201d they wrote. \u201cUntangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation. The stunning prevalence of these services within customer environments warrants attention from both network defenders and policy makers who should consider how the risks posed by residential proxies could be impacting their security posture.\u201d<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a \u201cresidential proxy\u201d provider operated by the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[113,1291,354,965,1292,1293,1294,1295,1296,90,201,1297,1298,1299,1300,1301,143,1302,1303,1304,1305,1306,1307,1308,1309,1310,1311,1312,1313,1314,1315,1316,1317,367,368,176,1318,1319],"tags":[91],"class_list":["post-3754","post","type-post","status-publish","format-standard","hentry","category-a-little-sunshine","category-alarum-technologies-ltd","category-badbox-2-0","category-black-lotus-labs","category-brendan-oconnell","category-chris-formosa","category-confederation-of-open-access-repositories","category-cricfy","category-cyberflix","category-cybersecurity","category-david-brunsdon","category-directory-of-open-access-journals","category-dooflix","category-flixoid","category-include-security","category-jerome-meyer","category-latest-warnings","category-lg","category-lumen-technologies","category-netnut","category-nick-sundvall","category-ninajtech","category-nokia-deepfield","category-oceanstreams","category-popa-botnet","category-qurium","category-rapid-streamz","category-residential-proxies","category-robovpn","category-rts-tv","category-samsung","category-sean-simmons","category-sprozfy","category-spur","category-synthient","category-the-coming-storm","category-tvmob","category-vo1d-botnet","tag-cybersecurity"],"yoast_head":"\n\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a \u201cresidential proxy\u201d provider operated by the […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-18T18:03:52+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm\",\"datePublished\":\"2026-06-18T18:03:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\"},\"wordCount\":2836,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"A Little Sunshine\",\"Alarum Technologies Ltd\",\"BadBox 2.0\",\"Black Lotus Labs\",\"Brendan O'Connell\",\"Chris Formosa\",\"Confederation of Open Access Repositories\",\"CRICFy\",\"CyberFlix\",\"Cybersecurity\",\"David Brunsdon\",\"Directory of Open Access Journals\",\"DooFlix\",\"Flixoid\",\"Include Security\",\"J\u00e9r\u00f4me Meyer\",\"Latest Warnings\",\"LG\",\"Lumen Technologies\",\"NetNut\",\"Nick Sundvall\",\"Ninajtech\",\"Nokia Deepfield\",\"OceanStreams\",\"Popa botnet\",\"Qurium\",\"Rapid Streamz\",\"residential proxies\",\"RoboVPN\",\"RTS Tv\",\"Samsung\",\"Sean Simmons\",\"Sprozfy\",\"Spur\",\"Synthient\",\"The Coming Storm\",\"TvMob\",\"Vo1d botnet\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\",\"name\":\"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png\",\"datePublished\":\"2026-06-18T18:03:52+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage\",\"url\":\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png\",\"contentUrl\":\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/","og_locale":"en_US","og_type":"article","og_title":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited","og_description":"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a \u201cresidential proxy\u201d provider operated by the […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-06-18T18:03:52+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm","datePublished":"2026-06-18T18:03:52+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/"},"wordCount":2836,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage"},"thumbnailUrl":"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png","keywords":["Cybersecurity"],"articleSection":["A Little Sunshine","Alarum Technologies Ltd","BadBox 2.0","Black Lotus Labs","Brendan O'Connell","Chris Formosa","Confederation of Open Access Repositories","CRICFy","CyberFlix","Cybersecurity","David Brunsdon","Directory of Open Access Journals","DooFlix","Flixoid","Include Security","J\u00e9r\u00f4me Meyer","Latest Warnings","LG","Lumen Technologies","NetNut","Nick Sundvall","Ninajtech","Nokia Deepfield","OceanStreams","Popa botnet","Qurium","Rapid Streamz","residential proxies","RoboVPN","RTS Tv","Samsung","Sean Simmons","Sprozfy","Spur","Synthient","The Coming Storm","TvMob","Vo1d botnet"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/","name":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage"},"thumbnailUrl":"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png","datePublished":"2026-06-18T18:03:52+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#primaryimage","url":"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png","contentUrl":"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/18\/popa-botnet-linked-to-publicly-traded-israeli-firm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3754"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3754\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}