- Threat actor Lurking Lizard has operated a residential proxy business since August 2022, using over 230 lookalike domains.
- The group lures victims with trojanized installers like a fake 7-Zip, recruiting devices as proxy nodes, and impersonates major proxy providers.
- Over 773,000 IP addresses linked to SmartProxy overlap with an IPIDEA dataset, suggesting reselling of infrastructure.
- Lurking Lizard also targets mobile users via apps like WireVPN, which has amassed over 1 million downloads.
Cybersecurity researchers have disclosed a new threat actor, dubbed Lurking Lizard, that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains since at least August 2022, according to Infoblox.
One campaign observed earlier this year involved the actor luring victims with a trojanized 7-Zip installer hosted on “7zip[.]com,” covertly recruiting compromised devices as proxy nodes, as Malwarebytes reported. The group also impersonates major proxy providers like IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, and runs fake “independent” review sites to drive traffic to its own scam storefronts. Interestingly, IPIDEA‘s infrastructure was dismantled by Google in January.
Subsequent findings from Proxyway uncovered that 773,087 unique IP addresses linked to SmartProxy were also present in a publicly available IPIDEA IP dataset, indicating SmartProxy either “resells IPIDEA’s infrastructure directly or uses it as a significant IP source,” according to Proxyway. WHOIS analysis and infrastructure fingerprinting suggest Lurking Lizard is a China-based actor, with the scheme also using popular VPNs and HeroSMS as decoys.
The adversary often acquires domains when they expire to inherit their history, a technique called drop-catching. In some cases, the attacker has taken advantage of incorrectly referenced domain names, such as “7zip[.]com” instead of “7-zip[.]org.” Further analysis of the IPLogger URL embedded in the 7-Zip campaign samples uncovered that the same infrastructure served fake installers for 7-Zip, WhatsApp, tools claiming TikTok and YouTube downloaders, and WireVPN.
The use of WireVPN branding represents the latest evolution, targeting users across Android, macOS, and Windows. One Android app called “wirevpn – Fast Unlimited Proxy,” developed by a U.K.-based firm named WEILAI NETWORK TECHNOLOGY CO., LIMITED, has amassed more than 1 million downloads, although it’s unclear if these are organic. Infoblox noted that in the original 7-Zip campaign, victims were directed through tutorial content and search-driven discovery, and that mobile applications may serve as an additional acquisition channel. It remains unclear if the same proxy functionality is present in the mobile apps.
The result is an end-to-end operation that goes through two distinct stages: trojanized installers and mobile apps recruit victim devices into a proxy botnet, then the pool is monetized through lookalike proxy service brands, with fake review sites driving traffic. Infoblox stated, “We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising.” The development comes days after Google announced it had significantly degraded the NetNut (aka Popa) residential proxy network, which turned at least 2 million devices into conduits for unauthorized traffic through malware-laced SDKs.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
