NetNut Proxy Service Supplies Popa Botnet Domains via Alarum VP's Ninjatech
Krebs-linked investigation maps Popa C2 to NetNut infrastructure owned by Alarum, revealing how listed companies profit from TV-box botnets. Evidence from Qurium, XLAB, and Kramer profiles shows continuity after 2025 disruptions. Corporate proxy services now face direct attribution to compromised consumer hardware.
Popa functions as the persistent tunnel layer for Vo1d malware on unofficial Android TV boxes sold via major e-commerce sites. These devices register home IPs into NetNut's proxy pool, enabling ad fraud, ATO, and scraping while exposing local networks. Disruption of Badbox 2.0 domains in July 2025 triggered rapid re-registration of controllers, one of which remained ninjatech[.]io.
XLAB first flagged nine Popa domains in 2025. Qurium matched them during scraping campaigns and linked ninjatech[.]io to Kramer's F6S profile and LinkedIn history building NetNut's architecture before its acquisition by Alarum. Kramer confirmed Ninjatech ceased operations five years prior, yet the domain continued active C2 use.
The pattern shows publicly traded firms monetizing consumer device compromise at scale without direct ownership of malware. Residential proxy revenue streams create structural incentives to overlook device provenance, a gap mainstream breach reporting rarely quantifies against SEC filings.
Next indicators will appear in Alarum's quarterly risk disclosures or enforcement actions against proxy customers. Independent domain sinkholing by Google and HUMAN continues to force rapid domain churn.
SEC: Alarum discloses material botnet-related revenue risk in next 10-Q filing or faces enforcement referral.
Sources (3)
- [1]Primary Source(https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/)
- [2]Supporting Source(https://www.qurium.com/reports/popa-botnet-2026)
- [3]Supporting Source(https://xlab.tencent.com/en/2025/vo1d-popa-domains)