18 June 2026
Less than a month after documenting a global scraping campaign that drew on more than 1.4 million distributed IP addresses to target public-interest journalism, Qurium Media Foundation, working with independent threat intelligence researchers, including the Nokia Deepfield Emergency Response Team and Synthient, has traced the underlying infrastructure to “Popa”: a residential proxy software family that turns consumer devices into Internet relay nodes.
The investigation reveals that “Popa” is far more than a conventional malware component. Instead it appears to be a sophisticated tunneling platform designed to register devices, maintain persistent encrypted connections, and route third-party traffic through ordinary residential Internet connections. According to our findings, the ecosystem spans hundreds of compromised applications, dozens of controller domains, and hundreds of backend servers, potentially affecting millions of consumer devices worldwide.
The investigation began after Qurium analyzed two large-scale scraping attacks against independent media organizations. Unlike conventional attacks originating from cloud providers or dedicated botnets, the traffic originated from an enormous number of residential IP addresses distributed across the globe. The scale and diversity of the sources suggested that a commercial residential proxy infrastructure was being used to hide the origin of the scraping activity.
Digital fingerprints in the attack led us to “Popa”, a networking architecture previously described by researchers at XLab and Dr. Web and later analyzed by Plume Security Labs as part of the Vo1d Android TV malware ecosystem. Rather than functioning as the malware itself, “Popa” appears to provide the communications and tunneling layer that allows infected or embedded devices to register with backend infrastructure and later proxy Internet traffic on behalf of third parties.
A global architecture hiding in ordinary devices
The Popa ecosystem operates through a distributed controller infrastructure. Once registered, a device can receive instructions to relay traffic through its own residential Internet connection. To external websites, the traffic appears to originate from the device owner rather than from the actual customer of the proxy network.
In practical terms, a smart television, Android TV box, streaming application, VPN client, torrent application, or other consumer software may become an exit node for a global residential proxy network.
Thousands of applications and potentially millions of devices.
Qurium found in Virustotal 5,000 software samples implementing variants of the same architecture. These samples communicate with approximately 46 controller domains and more than 300 backend servers hosted across multiple international providers.
The technology was identified inside dozens of pirate streaming applications as well as consumer software distributed for Windows and Android platforms. Investigators also identified compromised versions of SmartTube containing libraries implementing substantially similar tunneling functionality.
Historical infrastructure links
Historical analysis revealed that the ecosystem has evolved continuously over several years while maintaining remarkably consistent operational patterns. The investigation identified numerous additional domains sharing the same architecture and naming conventions. Among them, ninjatech.io a domain associated with NinjaTech SIA, a Latvian company established in 2020 by the CTO of Alarum Technologies.
Qurium’s investigation further identified the same SDK family inside RoboVPN, a consumer VPN service operated by CyberKick, a business unit that later became part of Alarum Technologies Ltd.
While no single technical observation alone establishes attribution all our findings form a consistent pattern that, according to the investigation, suggests a close relationship between the Popa ecosystem and the broader NetNut–Alarum ecosystem.
Reports and media coverage
Forensic report by Qurium: Finding “Popa”: When Your Smart TV Stops Being Yours
Research by Nokia Deepfield Emergency Response Team: A free download and a botnet: RoboVPN, Neunative, and the Vo1d/Popa backend
Research by Synthient: Popa: From Sourcing to Distribution
Article by KrebsOnSecurity: Popa Botnet Linked to Publicly Traded Israeli Firm
Press Contacts
Digital forensics
Tord Lundström <t at virtualroad.org>
Technical Director
Media
Clara Zid <info at virtualroad.org>
Outreach and Media manager
About Qurium
Qurium Media Foundation is an international non-profit organization that provides secure hosting, digital forensics, incident response, and infrastructure protection for journalists, human rights defenders, and public-interest media organizations worldwide. Its investigations focus on censorship, surveillance, digital attacks, and the infrastructures that enable them.