Embedded in everything from free apps to connected devices, vulnerable residential proxy software often goes unnoticed and unchecked.
—
Editor’s Note — Jan 28, 2026
Spur contributed to recent Google Threat Intelligence research on disrupting the largest known residential proxy network. The findings published by Google reflect the same residential proxy behaviors and risks explored in this post, with our analysis focused specifically on lateral movement and internal network exposure.
—
Today, Spur Intelligence released new research showing that vulnerable residential proxy software hidden in common apps and devices has infiltrated corporate and critical infrastructure networks without detection, enabling untrusted access inside environments assumed to be secure.
Spur researchers analyzed more than 90 million IPs during Q4 2025 and discovered active residential proxy infrastructure vulnerable to exploitation across a wide range of organizations, including government agencies (296), healthcare providers and hospitals (166), financial institutions (141), utility providers (318) and aerospace companies (14). In total, more than 900 organizations are at risk.
Residential proxies are pervasive across connected devices. They are frequently bundled into consumer applications, browser extensions, games, and low-cost Android devices as a means to provide connectivity for third parties, often for data collection or traffic resale. However, the vulnerable software’s network behavior can also expose local services and trusted resources that were never intended to be accessible from the public internet. This allows attackers to deploy malware from inside the network boundary or target internal resources that implicitly trust local traffic. Outcomes can be catastrophic, ranging from ransomware that shuts down power grids or water treatment facilities to the compromise of government agencies.
“When vulnerable residential proxy software is present inside critical infrastructure networks, the impact can be devastating,” said Riley Kilmer, co-founder of Spur. “This kind of access enables attackers to move laterally, deploy ransomware and target internal systems from a position of trust. When these exposures exist inside government, utilities or healthcare environments, it becomes a matter of national security.”
What is most alarming is that residential proxies are often hidden from end users and unmanaged by enterprise security teams, particularly in bring-your-own-device (BYOD) environments. Because residential proxies exist within mobile and desktop applications as well as browser extensions, these proxies are highly ephemeral and appear on every type of network. Many of these devices are not under the management of enterprise security.
How residential proxies put organizations at risk
When devices running vulnerable residential proxy software connect to corporate or institutional environments, they introduce a new class of risk that extends beyond abuse of the proxy itself. In certain conditions, the mere presence of this software can expose the broader local network where it is installed, effectively placing untrusted infrastructure inside trusted network segments. Attackers leverage trust relationships between devices and applications, while blending in with trusted traffic to remain undetected. Even a single unmanaged device running residential proxy software can materially change the risk profile of an entire network segment.
A recent public example underscores the risk. Security researchers identified the Kimwolf botnet, which utilized residential proxy software to interact with services bound to localhost and internal interfaces, demonstrating how residential proxy clients can act as an entry point into networks. While Kimwolf represents a single campaign, Spur’s research indicates the underlying exposure is far more widespread and present across a broad range of enterprise and critical infrastructure environments.
What should organizations do?
Spur’s research highlights the significance of addressing residential proxy detection as a network security issue. Recommended mitigations include stricter device segmentation, limiting installation of untrusted applications and extensions, and actively monitoring for residential proxy traffic originating from internal address space. However, these actions alone still may not completely eliminate the risk of exploitation.
Security teams and individuals can assess exposure by signing up for a free Spur account. They can also view Spur’s public webinar recording for additional technical details and research insights.
About Spur Intelligence
Spur delivers the highest-fidelity IP intelligence available to detect anonymized, proxied, or otherwise obscured internet traffic, empowering you to stop fraud, fake users, and threats. Designed by expert security researchers and engineers, Spur elevated VPN attribution, bot detection, and residential proxy tracking to protect the most mission-critical government and commercial systems in the world.
