CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

Hackers are getting harder to catch, and residential proxy networks are a key reason why. These services allow attackers to route malicious traffic through everyday home internet connections, making activity look like it is coming from a regular household device rather than a criminal server. Security teams are struggling to keep up as this technique […] The post Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection By Tushar Subhra Dutta June 11, 2026 Hackers are getting harder to catch, and residential proxy networks are a key reason why. These services allow attackers to route malicious traffic through everyday home internet connections, making activity look like it is coming from a regular household device rather than a criminal server. Security teams are struggling to keep up as this technique grows more widespread. A residential proxy works by sending traffic through real consumer devices like home routers, mobile phones, and IoT gadgets. Unlike a commercial VPN, which signals to a destination that the connection is hidden, a residential proxy makes traffic appear to come from a genuine home user. That is exactly what makes it so dangerous and difficult to detect. Researchers at Infoblox examined residential proxies across their cloud customer networks and found the results alarming. According to a Infoblox report shared with Cyber Security News (CSN), over 65% of their cloud customers were making connections to residential proxy services. The team observed DNS traffic to proxy-related domains growing from around 300 billion queries per month in early 2025 to over 500 billion per month by April 2026. The scale of the problem surprised even seasoned analysts. Residential proxy traffic appeared in every industry vertical examined, with at least 40% of customers in each sector affected. Pharmaceutical, food and beverage, electronics, industrial, and healthcare companies all showed strong proxy usage, raising serious questions about how deeply embedded these services have become inside enterprise environments. Infoblox visibility into residential proxies (Source – Infoblox) What makes the situation more complicated is that not all residential proxy use is intentional. Devices are frequently enrolled into proxy networks without the owner’s knowledge, often through free streaming apps, browser extensions, or software kits bundled inside popular applications. The line between voluntary use and silent exploitation is blurry, creating real security blind spots for defenders. Hackers Abuse Residential Proxy Networks Threat actors value residential proxies because they give malicious traffic a clean disguise. IP reputation systems are largely built to flag datacenter IPs and known threat sources, but a home IP from a legitimate ISP often passes those checks without friction. This allows attackers to conduct credential stuffing, account takeovers, ad fraud, and reconnaissance while hiding behind a real household device. One notable case involves a service called Gress, which converts unused bandwidth into rewards and pays users in cryptocurrency tokens. Gress was reportedly found pre-installed on Android TV streaming devices, enrolling users into the proxy network without their awareness. Another service, Honeygain, pays users to share their residential IP as a proxy exit point and also runs a product called CrBuzz that donates a portion of revenue to charity. Infoblox also observed a striking spike tied to a specific orchestration domain used by proxy networks. On a single day in January 2025, the number of customer networks querying that domain jumped by over 250, an anomaly that proxy space experts could not readily explain. That spike coincided closely with action taken against IPIDEA, a major proxy service, suggesting displaced traffic quickly redistributed across other providers. Why Detection Is Difficult and What Organizations Can Do Detecting residential proxy traffic is hard because it is designed to blend in. Traffic arrives from real home IP addresses tied to legitimate ISPs, so traditional blocklists and geolocation filters offer limited protection. Content filtering policies are also applied unevenly, since malicious domains may be handled differently depending on each organization’s security setup. Infoblox recommends that defenders use Protective DNS to block queries to known proxy orchestration domains, which function similarly to command-and-control infrastructure in traditional malware campaigns. Teams should also audit DNS query logs for traffic to known proxy domains and review browser extensions and consumer apps on corporate devices for embedded proxy SDKs. Checking IP addresses against external resources that track residential proxy usage can help surface exposure that would otherwise go unnoticed. Residential proxies are no longer a niche tool reserved for a small group of sophisticated actors. They are now embedded in everyday applications used by millions of people, and organizations that overlook this risk face a significant gap in their defenses. Type Indicator Description Domain ipidea[.]net Orchestration domain associated with IPIDEA residential proxy service, flagged by Infoblox Domain ipinfo[.]io Domain queried by customer networks in relation to proxy reconnaissance activity Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News HexStrike AI RED-TEAM With 127 Security Tools and BOAZ Red Team Integration Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables New EDRChoker Tool Uses Policy-Based Quality of Service to Block EDR Processes Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws Latest News Cyber Security News Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release Cyber Security News PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Cyber Security News Oracle Emergency Security Update to Fix Critical RCE Vulnerability Cyber Security GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Cyber Security News Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗