Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsPricingView Plans & Pricing
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Popa: From Sourcing to Distribution

0
Medium
Malwareresidential proxynetnutneupopsdkmoneytiserhopanetpopaloopopproxywareandroidconsent bypasst1132.001t1568.002t1071.004t1573.001t1032t1090.003t1573t1071.001
Published: Thu Jun 18 2026 (06/18/2026, 19:31:57 UTC)
Source: AlienVault OTX General

Description

Popa is an Android proxyware SDK that enrolls consumer devices into a commercial residential proxy network without user consent. It has been active since at least 2020 and is embedded in streaming, IPTV, and utility apps, often linked to piracy. The SDK relays third-party traffic immediately upon app launch and communicates with NetNut infrastructure. Later versions use encrypted Google Drive files to resolve relay servers. No informed consent was observed in analyzed samples despite some builds having consent capabilities.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/19/2026, 09:49:57 UTC

Technical Analysis

Popa is an Android SDK used to covertly enroll consumer devices such as phones, tablets, and streaming boxes into a commercial residential proxy network. It operates by relaying third-party traffic through infected devices without displaying informed-consent prompts in analyzed samples. Variants of Popa (Loopop, Neupop, Moneytiser) are distributed inside consumer streaming, IPTV, and utility applications, many linked to piracy. The SDK communicates directly with NetNut SDK endpoints, sharing infrastructure and telemetry, and uses encrypted Google Drive files in later versions to resolve relay servers. Controlled testing confirmed traffic from Popa-enrolled devices egressing through NetNut's commercial gateway. Despite some later builds including consent capabilities, none of the analyzed samples requested user consent.

Potential Impact

Devices infected with Popa SDK become part of a commercial proxy network, relaying third-party traffic without user knowledge or consent. This can lead to unauthorized use of device bandwidth and resources, potential privacy violations, and association with illicit activities such as piracy. The covert nature of the SDK's operation increases risk to end users and complicates detection and remediation.

Mitigation Recommendations

No official patch or remediation guidance is provided. Since this is an SDK embedded in third-party applications, mitigation involves avoiding installation of applications known to include Popa or its variants, especially those linked to piracy or unauthorized streaming. Users and administrators should remove affected applications if detected. Monitor for applications using Popa-related SDKs and consider application vetting to prevent deployment. Patch status is not yet confirmed — check vendor advisories or security research updates for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://synthient.com/blog/popa-from-sourcing-to-distribution"]
Adversary
null
Pulse Id
6a3447ad5cdebd92116d1c01
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip172.105.19.27
ip51.161.86.9
ip141.95.98.71
ip134.195.196.245
ip134.195.196.85
ip139.162.174.86
ip148.113.190.175
ip38.89.70.214
ip38.99.82.188
ip216.106.189.146
ip67.220.70.69
ip38.99.82.9
ip134.195.196.184
ip134.195.198.2
ip134.195.198.52
ip135.125.160.44
ip135.181.116.42
ip135.181.18.95
ip135.181.57.111
ip135.181.61.18
ip135.181.61.24
ip135.181.75.30
ip141.94.199.151
ip141.94.199.152
ip141.94.29.105
ip141.94.73.20
ip141.95.126.97
ip141.95.33.100
ip141.95.33.108
ip141.95.33.112
ip141.95.33.117
ip141.95.33.143
ip141.95.35.96
ip141.95.35.97
ip141.95.98.156
ip141.95.98.158
ip141.95.98.159
ip141.95.98.164
ip141.95.98.173
ip141.95.98.174
ip141.95.98.175
ip141.95.98.176
ip141.95.98.177
ip146.59.47.171
ip146.59.54.55
ip146.59.54.8
ip146.59.81.145
ip146.59.81.179
ip146.59.81.182
ip146.59.84.15
ip146.59.85.8
ip148.113.162.52
ip148.113.220.152
ip148.113.222.71
ip149.56.29.107
ip15.235.12.25
ip15.235.222.55
ip15.235.224.157
ip15.235.224.224
ip15.235.228.121
ip15.235.233.16
ip15.235.233.20
ip15.235.53.67
ip15.235.65.66
ip15.235.65.97
ip15.235.82.174
ip15.235.85.237
ip15.235.85.238
ip15.235.85.93
ip15.235.86.140
ip15.235.9.81
ip157.90.4.34
ip157.90.4.97
ip158.51.120.61
ip158.51.121.121
ip158.51.121.126
ip158.51.121.30
ip158.51.121.39
ip158.51.121.83
ip162.19.139.106
ip162.19.72.85
ip162.19.88.205
ip162.19.88.213
ip167.17.64.20
ip167.88.61.114
ip172.99.188.236
ip172.99.189.20
ip172.99.189.67
ip172.99.189.88
ip186.190.215.121
ip194.195.125.168
ip198.244.165.186
ip198.244.212.119
ip198.57.27.30
ip216.106.189.33
ip37.27.55.79
ip38.110.1.157
ip38.111.114.193
ip38.114.120.146
ip38.114.120.238
ip38.114.120.39
ip38.114.120.72
ip38.22.17.181
ip38.22.17.205
ip38.22.17.218
ip38.86.135.91
ip51.195.24.11
ip51.195.24.3
ip51.195.24.58
ip51.195.24.59
ip51.195.24.6
ip51.195.24.60
ip51.222.248.165
ip51.77.190.206
ip51.89.11.179
ip51.89.11.192
ip51.89.11.246
ip54.38.13.215
ip57.128.125.81
ip57.128.192.112
ip57.128.231.167
ip57.128.231.196
ip57.128.97.134
ip57.129.39.245
ip57.129.39.247
ip57.129.49.77
ip57.129.52.203
ip57.129.54.85
ip57.129.64.89
ip57.129.96.136
ip65.108.9.68
ip65.109.27.93
ip65.109.28.33
ip65.21.226.195
ip66.163.117.114
ip66.163.117.132
ip66.228.34.25
ip67.220.66.55
ip67.220.70.142
ip67.220.70.43
ip67.220.70.91
ip67.220.74.119
ip67.220.94.39
ip67.220.94.47
ip85.90.247.42
ip91.134.20.114

Domain

ValueDescriptionCopy
domainnice-protect.com
domainhouse-spirit.com
domaingmslb.net
domainrainproxy.io
domainenigmaproxy.net
domainfast-mob.com
domains01691.novel-layer.com
domainpulse-vol.com
domainzen-tava.com
domains1.gmslb.net
domains1252.gmslb.net
domains1244.gmslb.net
domaingw.netnut.net
domainsdk.netnut.io
domainaxe-net.com
domainbyte-armor.com
domainbyte-buff.com
domaincool-horizon.com
domaindigiproxy.cc
domainearth2trust.com
domainflashproxy.com
domainflexible-networks.com
domaingrid-push.com
domainiprocket.io
domainlink-flux.com
domainlitics-net.com
domainmob-hit.com
domainnet-echo.com
domainnova-lan.com
domainnovel-layer.com
domainnoverland.com
domainsdkmob.org
domainshield-sky.com
domainsky-borders.com
domainstar-layer.com
domainswift-zip.com
domaintera-home.com
domainvault-sentinel.com
domainviki-play.com
domainvoltix-net.com
domainworker-net.com
domainworld2trust.com
domainyoursfind.com
domainzync-stream.com
domainflix.com.vision
domaingw-flashproxy-eu.netnut.net
domaingw-xunjie-ca.netnut.net
domaingw.rainproxy.io
domainorg.speedcheck.sclibrary.support
domainpresi-eu.enigmaproxy.net
domainproxy.iprocket.io
domainresi-digiproxy.netnut.net
domainresidential.digiproxy.cc
domains01679.gmslb.net
domains01683.flexible-networks.com
domains01687.gmslb.net
domains01689.grid-push.com
domains01692.tera-home.com
domains01693.gmslb.net
domains01695.grid-push.com
domains01696.noverland.com
domains01697.gmslb.net
domains01698.gmslb.net
domains01699.nova-lan.com
domains01700.novel-layer.com
domains100.gmslb.net
domains1234.gmslb.net
domains1235.gmslb.net
domains1236.gmslb.net
domains1237.gmslb.net
domains1238.gmslb.net
domains1239.gmslb.net
domains1240.gmslb.net
domains1246.gmslb.net
domains1248.gmslb.net
domains1250.gmslb.net
domains1254.gmslb.net
domains1256.gmslb.net
domains1258.gmslb.net
domains1262.gmslb.net
domains1266.gmslb.net
domains1272.gmslb.net
domains1278.gmslb.net
domains1296.net-echo.com
domains1310.gmslb.net
domains1312.gmslb.net
domains1314.noverland.com
domains1314.sdkmob.org
domains1316.fast-mob.com
domains1318.noverland.com
domains1320.gmslb.net
domains1322.gmslb.net
domains1324.gmslb.net
domains1326.gmslb.net
domains1328.gmslb.net
domains1330.sdkmob.org
domains1368.byte-buff.com
domains1372.nice-protect.com
domains1374.grid-push.com
domains1380.swift-zip.com
domains1382.sdkmob.org
domains1386.sdkmob.org
domains1480.byte-buff.com
domains1483.grid-push.com
domains1484.novel-layer.com
domains1487.noverland.com
domains1488.viki-play.com
domains1489.nova-lan.com
domains1491.worker-net.com
domains1503.nice-protect.com
domains1507.worker-net.com
domains1511.net-echo.com
domains1515.link-flux.com
domains1517.viki-play.com
domains1519.tera-home.com
domains1523.swift-zip.com
domains1529.nova-lan.com
domains1539.link-flux.com
domains1541.net-echo.com
domains1549.gmslb.net
domains1573.pulse-vol.com
domains1587.viki-play.com
domains1589.gmslb.net
domains1591.gmslb.net
domains1593.gmslb.net
domains1595.nova-lan.com
domains1597.nova-lan.com
domains1599.gmslb.net
domains1601.grid-push.com
domains1605.viki-play.com
domains1607.link-flux.com
domains1664.link-flux.com
domains1688.tera-home.com
domains1690.nova-lan.com
domains1692.litics-net.com
domains1772.nova-lan.com
domains1820.net-echo.com
domains1822.pulse-vol.com
domains1830.net-echo.com
domains1832.link-flux.com
domains1834.link-flux.com
domains1836.gmslb.net
domains1838.net-echo.com
domains1840.gmslb.net
domains1842.gmslb.net
domains1844.nova-lan.com
domains1846.gmslb.net
domains1848.gmslb.net
domains1850.gmslb.net
domains1851.gmslb.net
domains1852.gmslb.net
domains1854.gmslb.net
domains1856.gmslb.net
domains1858.gmslb.net
domains1860.gmslb.net
domains1861.gmslb.net
domains1862.gmslb.net
domains1863.gmslb.net
domains1864.gmslb.net
domains1865.gmslb.net
domains1866.gmslb.net
domains1868.gmslb.net
domains1870.gmslb.net
domains1872.gmslb.net
domains1874.gmslb.net
domains1876.byte-buff.com
domains1878.nova-lan.com
domains1880.net-echo.com
domains1884.gmslb.net
domains2.net-echo.com
domains205.link-flux.com
domains206.sdkmob.org
domains209.worker-net.com
domains212.nova-lan.com
domains217.fast-mob.com
domains228.nova-lan.com
domains231.worker-net.com
domains232.fast-mob.com
domains242.link-flux.com
domains246.sdkmob.org
domains247.fast-mob.com
domains251.pulse-vol.com
domains256.sky-borders.com
domains269.sdkmob.org
domains34.flexible-networks.com
domains7.nova-lan.com
domains72.byte-buff.com
domains88.fast-mob.com

Url

ValueDescriptionCopy
urlhttp://gw.netnut.net:9595

Hash

ValueDescriptionCopy
hash2227df1207d2c90db46610bd98909032
MD5 of 22c860931f2ed22897b81ef8da16980fc24b2573ec884a153b3ff5df9e0f8cff
hash3a69aedb78677993384dfe9b476e3d26
MD5 of 2e04dc8bee038a5771373fc4dbaa4e45f653cd649928199e9ce8098c8b27d64e
hash0a14b993fdac34f7a05b6d9d22f5fa9cfc711134
SHA1 of 22c860931f2ed22897b81ef8da16980fc24b2573ec884a153b3ff5df9e0f8cff
hash55c0235188c16bd2e18a21fa78d9a39c220b8b73
SHA1 of 2e04dc8bee038a5771373fc4dbaa4e45f653cd649928199e9ce8098c8b27d64e
hash0b4c112c98993f01ed761e72c2f82827aa49876034df461c1762e95281876c6b
hash1a92cf241f86584361097d5735948a8170007206db56fe88739c9048767ab862
hash22c860931f2ed22897b81ef8da16980fc24b2573ec884a153b3ff5df9e0f8cff
hash254568375315d86121b74db2eb8bfd8ac6bf192768c6ab5d05ca7e66b8990102
hash2a6f0837007726a1863f2180a9a84a89284dc57e7557857e2a3d1896a69fe6c7
hash2e04dc8bee038a5771373fc4dbaa4e45f653cd649928199e9ce8098c8b27d64e
hash51ead7f0490bfe6b432120bbbd63b807277d016911664fb264640bb8b007d756
hash68022c244a6cc150395ad3bc6648c30de7c1fa7837498ac101a1824e227efa3a
hash69f524815eeb3b2069ff41a8a12cae0537de8ad9bd856d694fa21bb2af8fada8
hash79aec671ceb205db1769da6898c9659c7c8297b13929e593050523438c09a44f
hasha29cdca72822c1f236c53c181d03f0c45907a45f2ef3c4c2da3ef839bfd3b7a6
hasha806cece4a4fbbe502e6d76035681702d9adde1c6f74c9e1c0547d37d30ddfcf
hashaf93524fd0aac0a790734a0747fcf844ba5f0652b11a0f4a59bbe5aeace0fa75
hashb8b8d41a8a7eccda90b366fb5a3d2c0f692504984429aaa19b0af0dcd81dec03
hashbbcc1a208b4bd0a9ffe8799158cd994d82e125acb30b630e774b242f11dd6985
hashbf0b36dcbbc60dbf83ecac7c56534271e53a16817909306ecc6f15f7b6106730
hashca5fd64932a82d3e24a19fe94d8b7636847f4335b8fd8795a63cfa0107e67048
hashd06b86da3777be0e2156c35f031f503d280a17ee3a1cc531f4c5fb806c0f749b

Threat ID: 6a350d73f198dc38c1e7444c

Added to database: 6/19/2026, 9:35:47 AM

Last enriched: 6/19/2026, 9:49:57 AM

Last updated: 6/19/2026, 4:32:31 PM

Views: 11

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses