DeepfieldExcellent work by @nicter_jp documenting a Xiongmai DVR campaign deploying residential proxy SDKs: https://blog.nicter.jp/2026/03/iot_proxyware/
We pulled the payloads and decompiled the chain.
The downloader is Mirai with all DDoS stripped out — repurposed as a vehicle for proxy monetization. It delivers two proxy SDKs: IPRoyal Pawns and PacketSDK, part of the IPIDEA network Google disrupted in January.
NICTER's IOC timeline tells the rest: PacketSDK v1.0.2 (original domains) → v1.0.6 (scrambled replacements) → v1.0.8.4 (single fallback) → not deployed. Every dispatch path is now NXDOMAIN.
A concrete view of Google's takedown continuing to have impact.
