IPIDEA
IPIDEA is described in the provided content as a Chinese company operating a large residential proxy network by compromising consumer devices and turning them into proxy or exit nodes. The content states that IPIDEA installs malicious code through applications and games, free VPN apps, SDK integrations offered to developers, fake Windows and Android applications, and software preinstalled on low-cost Android TV streaming devices. Once infected, devices relay network traffic, help conceal the true origin of malicious activity behind residential IP addresses, and can participate in distributed denial-of-service attacks. The content says IPIDEA marketed itself as a legitimate proxy service provider while investigations and reports indicated its network was used for questionable and malicious purposes. Reported SDK packages associated with IPIDEA include Castar, Earn, Hex, and Packet SDK. The content also states that researchers identified more than 3,000 Windows files and 600 Android applications tied to the scheme, including fake software impersonating OneDrive Sync and Windows Update. No additional aliases or sub-groups beyond IPIDEA are directly provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇫🇮 Finland
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operates a large residential proxy network by turning consumer devices into proxies via malicious code hidden in apps, games, SDKs, or preinstalled on low-cost Android TV devices; infected devices are used to relay traffic and participate in DDoS attacks.
Operates a malicious proxy network by infecting consumer devices, including via trojanized apps, fake software, SDK-based monetization schemes, and preinstalled malware on cheap Android TV streaming devices; infected devices are used as exit nodes, to relay traffic, mask malicious activity, and participate in DDoS attacks.
Operates a malicious proxy network by infecting consumer devices, including via trojanized apps, fake software, SDK-based monetization schemes, and preinstalled malware on cheap Android TV streaming devices; infected devices are used as exit nodes, to relay traffic, mask malicious activity, and participate in DDoS attacks.
Mentioned in the context of Google targeting it as part of a crackdown on global residential proxy networks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.