Lurking Lizard: The Rise of a Sophisticated Residential Proxy Empire
A new threat actor, dubbed **Lurking Lizard**, has been exposed for operating an extensive malicious residential proxy business. This sophisticated operation leverages over 230 lookalike domains and trojanized installers to secretly enlist victim devices into a vast proxy network, which is then monetized through deceptive storefronts.
Cybersecurity researchers have unveiled details of a new threat actor, **Lurking Lizard**, which has established an end-to-end malicious residential proxy business. This elaborate scheme, active since at least August 2022 according to DNS threat intelligence firm **Infoblox**, utilizes an infrastructure comprising more than 230 lookalike domains.
### Trojanized Installers and Deceptive Tactics
One notable campaign, observed earlier this year, involved luring victims with a trojanized **7-Zip** installer hosted on a domain named "7zip[.]com". This seemingly innocuous download covertly transformed compromised devices into proxy nodes.
**Lurking Lizard** is also known for impersonating major legitimate proxy providers such as **IPIDEA**, **SmartProxy** (now **Decodo**), **IP Royal**, and **911Proxy**. The actor goes as far as running fake "independent" review sites to funnel traffic to its own fraudulent storefronts. Interestingly, **Google** recently dismantled **IPIDEA**'s infrastructure in January.
Further investigation by **Proxyway** revealed that 773,087 unique IP addresses linked to **SmartProxy** were also present in a publicly available **IPIDEA** IP dataset, suggesting that **SmartProxy** either resells **IPIDEA**'s infrastructure directly or heavily relies on it as an IP source.
### Origins and Modus Operandi
WHOIS analysis and infrastructure fingerprinting indicate that **Lurking Lizard** is a China-based actor. The illicit scheme also employs popular VPNs and services like **HeroSMS** as decoys to distribute proxy malware.
A key aspect of the adversary's strategy is acquiring expired domains, a technique known as drop-catching, to inherit their accumulated history and perceived legitimacy. In some instances, the attacker exploits the credibility surrounding incorrectly referenced domain names (e.g., "7zip[.]com" instead of "7-zip[.]org") to their advantage.
Analysis of an **IPLogger** URL ("iplogger[.]com/mnWD") embedded within samples from the **7-Zip** campaign revealed that the same underlying infrastructure has been used to serve fake installers for **7-Zip**, **WhatsApp**, and tools falsely claiming to be **TikTok** and **YouTube** downloaders, as well as **WireVPN**.
### Multi-Platform Expansion
The use of **WireVPN** branding signifies the latest evolution of the campaign, employing a multi-pronged approach to target users across various operating systems, including Android, macOS, and Windows. One such Android application, "wirevpn - Fast Unlimited Proxy," developed by a U.K.-based firm named **WEILAI NETWORK TECHNOLOGY CO., LIMITED**, has amassed over 1 million downloads, though the authenticity of these downloads remains questionable.

**Infoblox** notes, "In the original **7-Zip** campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains. Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel."
It remains uncertain if the same proxy functionalityβwhere third-party traffic is funneled through victims' devicesβis present in the mobile applications or if it's confined to desktop variants. Regardless, these findings illustrate an unlawful proxy business that fuels a coordinated ecosystem encompassing victim acquisition, proxy infrastructure, marketing, and monetization.
### A Two-Stage Operation
The operation unfolds in two distinct stages:
* Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy botnet.
* The collected IP pool is then monetized through lookalike proxy service brands, with fake review sites driving traffic to the actorβs storefronts.
"We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising," **Infoblox** commented. "Rather than operating a single malware campaign, **Lurking Lizard** manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network."
### Broader Context: Google's Disruption of Proxy Networks
This development comes shortly after **Google** announced its significant disruption of the **NetNut** (also known as **Popa**) residential proxy network. That operation incapacitated a network that had turned at least 2 million devices, including smart TVs and streaming boxes, into conduits for unauthorized network traffic via malware-laced SDKs. These SDKs were either pre-installed or embedded within apps containing hidden proxy code.
**Google** warned, "This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers."
