Researchers reported that a threat actor tracked as Lurking Lizard has been running an end-to-end malicious residential proxy operation since at least 2022, using trojanized software installers and more than 230 lookalike domains to turn victim devices into proxy nodes. The campaign used counterfeit installers and fake review sites impersonating trusted software and services, including 7-Zip, WhatsApp, TikTok, YouTube downloader tools, and a fake WireVPN brand, with one notable lure hosted on 7zip[.]com.
Investigators linked the activity through shared domain records, backend infrastructure, code overlaps, and a hardcoded IPLogger beacon, concluding that the operators both infected victims and resold their bandwidth as residential proxy access. The operation expanded across Windows, macOS, and Android, and the WireVPN-branded Android app reportedly exceeded 1 million downloads, while exhibiting behavior consistent with proxy exit-node abuse rather than legitimate VPN protection. WHOIS and infrastructure analysis indicate the operation is likely run by a China-based actor.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
The activity later evolved into a fake VPN brand called WireVPN, distributed through mobile app stores and described as behaving like proxy exit-node abuse rather than legitimate VPN protection. Reporting also says the campaign expanded to target Android, macOS, and Windows users.
The Lurking Lizard operation was reported as having operated since at least August 2022, using fake software installers and related infrastructure to recruit victim devices into a residential proxy network.
Researchers publicly disclosed details tying more than 230 domains, shared backend infrastructure, code overlaps, and a hardcoded IPLogger beacon to Lurking Lizard's end-to-end malicious residential proxy business. The reporting also said WHOIS and infrastructure analysis suggested the operator is based in China.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcethehackernews.com
Open sourcecyberveille.ch
Open sourcecryptika.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.