CISO ME Issue 01 | Page 29

R internet issue, but new research from Infoblox Threat
NETWORK SECURITY

Hidden proxy networks put enterprise security and reputation at risk

esidential proxies have historically been viewed as a fringe

R internet issue, but new research from Infoblox Threat

Intel suggests otherwise. Developed in collaboration with Synthient and building on Infoblox’ s earlier Kimwolf botnet findings, the research shows residential proxies present a much broader enterprise exposure.
After Infoblox previously found that roughly 25 % of customers had the Kimwolf domain in their networks, driven by residential proxies, the teams expanded the work by examining billions of DNS resolutions and associated network telemetry across the customer base. What they found was significantly larger: in 2026, more than 65 % of Infoblox Threat Defense Cloud customers made queries to domains associated with residential proxy networks, demonstrating how deeply these services are embedded in real-world business environments.
Residential proxies route internet traffic through everyday consumer devices such as home routers, mobile phones, IoT devices and systems running apps embedded with proxyware, making the connection appear to come from a real person rather than a datacentre. While this can serve legitimate purposes, such as web scraping or accessing georestricted content, it is also what makes residential proxies attractive to attackers. They help evade IP reputation systems, bypass fraud and verification controls and allow malicious traffic to blend in with normal consumer activity.
The research shows that the issue is growing. Between January 2025 and April 2026, monthly queries to residential proxy domains rose from nearly 400 billion to more than 500 billion, an increase of roughly 25 %. Infoblox Threat Intel says one major driver is AI-related web scraping, where residential proxies help traffic blend in as if it were coming from real consumers rather than automated systems.
Key findings include:
• More than 65 % of Infoblox Threat Defense Cloud customers showed residential proxy-related DNS activity in 2026.
• Monthly query volume to residential proxy domains grew by about 25 %, reaching more than 500 billion per month.
• At least 40 % of customers in every industry vertical showed this traffic, including more than 90 % of pharmaceutical and food and beverage customers, and more than 60 % of government and banking customers.
“ Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel.“ In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions.
But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse. Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services”.
While not every residential proxy is malicious, organisations that are unaware of whether these services are present in their environments, why they are there or what risks they create may be blind to a rapidly growing source of exposure.
Equally significant is how these services typically arrive: through everyday tools and devices rather than obvious malware. The research identifies free VPNs, streaming apps, screensavers, productivity apps and low-cost IoT devices as common enrolment mechanisms, often without users fully understanding what is happening.
WWW. INTELLIGENTCISO. COM / MIDDLE-EAST 29