Google GTIG Disrupts IPIDEA Residential Proxy Network in the United States
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Google disrupts UNC2814 GridTide espionage campaign
Google and partners dismantled a cloud‑hosted espionage operation that used spreadsheets and SaaS APIs as covert command channels, attributed to the actor UNC2814 and a backdoor called GridTide . The takedown affects at least 53 organizations across 42 countries and highlights an accelerating trend: cloud services are becoming primary vectors for stealthy state‑linked intrusions.
Google unveils threat-disruption team to choke attacker infrastructure
Google has created a centralized Threat Disruption team to deny cyber adversaries the infrastructure they use through legal takedowns, public exposure, sinkholing and product hardening, while explicitly avoiding offensive operations on behalf of governments. The move formalizes prior ad‑hoc disruptions (for example GridTide and residential proxy takedowns) and pairs GTIG telemetry with coordinated cross‑provider action — an approach that yields immediate defensive gains but is constrained by jurisdictional limits and adversary migration to harder-to-reach platforms.
Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025
Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.
Asus-router infections form resilient KadNap proxy network
Researchers link a 14,000-device proxy network to a peer-to-peer botnet labeled KadNap , which exploits unpatched router flaws to hide control infrastructure and carry anonymous traffic. The botnet’s use of a Kademlia -style DHT and growth from ~10k to 14,000 devices signals higher takedown cost and greater abuse of consumer gateways.
Google flags intensifying cyber campaigns against the global defense supply chain
Google’s Threat Intelligence Group alerts that coordinated cyber campaigns against firms and personnel in the defense industrial base are increasing, combining long‑dwell implants, commodity exploit reuse, and LLM-assisted social engineering. The advisory urges identity‑first controls, extended cross‑domain telemetry to suppliers and staff, hardware-backed MFA and governed agentic automation to shorten attackers’ windows and blunt supply‑chain impact.
OpenAI: ChatGPT record exposes transnational suppression network
OpenAI released internal records showing a coordinated campaign using ChatGPT entries to run harassment and takedown operations against overseas critics. The disclosure links a large actor network — involving hundreds of operators and thousands of fake accounts — to real-world misinformation and platform abuse, sharpening regulatory and security pressures.
Justice Department Disrupts Iran-linked Propaganda Websites
Federal prosecutors seized four domains tied in court filings to an Iran-linked influence campaign that published threats and doxxed critics, removing immediate public-facing staging grounds and preserving forensic evidence. The action occurred amid a wider kinetic‑and‑cyber episode—during which attribution and impact remain contested—prompting heightened FBI domestic posture and raising questions about long‑term resilience against decentralized, encrypted adversary tradecraft.
SystemBC resurfaces as resilient proxy botnet, infecting over 10,000 hosts
A persistent variant of the SystemBC loader has rebuilt its footprint after a law-enforcement disruption and now routes traffic through more than 10,000 compromised IPs worldwide. Security researchers warn the infrastructure acts as a traffic-proxying backbone and often precedes ransomware and other secondary intrusions.