One of the botnets that is using a modular approach that will likely be able to circumvent network-based access controls against residential proxies is known as BadBox 2.0. The FBI issued an advisory yesterday: www.ic3.gov/PSA/2025/PSA...

This modular model is already employed by residential proxy providers in the Far East who obtain millions of residential proxies by exploiting vulnerabilities in the supply chain of inexpensive IoT devices and by shipping pre-infected Android Open Source Project-supported devices (AOSP).

We anticipate that residential proxy providers will seek to bypass connection and session-based access controls, by uploading separate software modules to residential endpoints. These modules can independently carry out specific tasks like advertisement fraud without relying on proxied connections.

One of my favorite pieces of evidence we were able to obtain was 7 videos with English text, which painstakingly explain how to set up a Beavertail C&C. The screen recording, lasting more than 1 hour, was created by someone logged in with a BlockNovas account from an IP address probably in Russia.

Nsocks provides an alternative explanation: "Competitors have hired an organization that has blocked our back-connect servers and continues DDOS attacks." Nsocks now also mandates authentication for their SOCKS5 entrance nodes (which was not the case previously - security by obscurity)