Lurking Lizard Turns Victims Into Proxy Nodes via Fake 7-Zip, WireVPN
China-based threat actor Lurking Lizard operates 230+ lookalike domains serving trojanized 7-Zip installers and the WireVPN app to recruit victims into a residential proxy botnet without consent.
Security researchers at Infoblox have exposed a China-based threat actor called Lurking Lizard that operates more than 230 lookalike domains to distribute trojanized software and recruit victim devices into a residential proxy botnet. The operation has run since at least August 2022, with its latest campaign using fake 7-Zip installers and a VPN app with over 1 million Google Play downloads.
Once installed, the malware quietly rents out victims' internet connections to paying customers—turning home devices into anonymous proxy exit nodes without user knowledge or consent.
How the Scheme Works
Lurking Lizard operates a two-stage business model according to Infoblox's research:
Stage 1: Victim Recruitment The actor creates lookalike domains mimicking legitimate software download sites. A notable example: "7zip[.]com" versus the legitimate "7-zip[.]org". Victims find these sites through search engines, tutorial content, or direct links, then download what appears to be legitimate software.
The trojanized installers function normally but include a hidden proxy component. Once running, the malware registers the device with Lurking Lizard's command infrastructure and begins accepting proxy connections from third parties.
Stage 2: Monetization Lurking Lizard sells access to this residential proxy network through multiple brands. The actor also operates fake "independent" review sites to drive traffic to its own proxy storefronts, creating an appearance of legitimacy.
WireVPN: The Latest Front
Researchers believe WireVPN represents Lurking Lizard's current public-facing brand. The Android application—published under U.K.-registered firm WEILAI NETWORK TECHNOLOGY CO., LIMITED—has accumulated over 1 million downloads and 34,000 reviews on Google Play.
The app promises fast, unlimited VPN service. In reality, it enrolls devices into the residential proxy network. Whether WireVPN's download numbers reflect organic growth or artificial inflation remains unclear.
This represents a significant evolution from earlier campaigns. Unlike trojanized installers that users download once, a VPN app runs persistently and provides continuous proxy access through the victim's connection.
Infrastructure Scale
Lurking Lizard's operation extends beyond fake software downloads. The actor:
- Impersonates legitimate proxy providers including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy
- Operates fake review sites to funnel victims toward scam storefronts
- Uses domain drop-catching to acquire expired domains with inherited search ranking and backlinks
- Maintains infrastructure across multiple hosting providers to avoid single points of failure
The 230+ lookalike domains identified by researchers likely represent only a portion of the operation's total infrastructure.
Technical Indicators
Researchers identified several artifacts associated with Lurking Lizard campaigns:
- IPLogger tracking: Embedded URL "iplogger[.]com/mnWD" appears in analyzed samples
- Target software: Fake installers for 7-Zip, WhatsApp, TikTok/YouTube downloaders
- Distribution domains: Lookalike domains mimicking popular software sites
- Attribution markers: WHOIS analysis and infrastructure fingerprinting point to China-based operators
The operation shows similarities to other supply chain attacks targeting software downloads we've documented, though Lurking Lizard focuses on proxyware rather than data theft.
Why Residential Proxies Matter
Residential proxies route traffic through real home IP addresses rather than datacenter ranges. This matters because:
For attackers: Residential IPs evade blocklists, bypass geographic restrictions, and make traffic appear legitimate. Services that block known VPN/proxy ranges often allow residential connections.
For victims: Someone else's activity appears to originate from your network. If that activity includes fraud, abuse, or illegal content access, you may face consequences—from service bans to law enforcement inquiries.
The victim receives no compensation while the operator monetizes their bandwidth, IP reputation, and device resources.
Connection to Broader Threats
Residential proxy networks enable various malicious activities: credential stuffing at scale, ad fraud, sneaker botting, scraping protected content, and evading rate limits. Bad actors rent residential proxy access specifically because these IPs haven't been flagged.
We've previously covered how malware authors increasingly abuse legitimate services for command and control. Lurking Lizard applies a similar principle—hiding behind real residential connections rather than obvious malicious infrastructure.
How to Protect Yourself
Before installing software:
- Download only from official vendor websites (7-zip.org, not 7zip.com)
- Verify URLs carefully—lookalike domains often differ by one character
- Check digital signatures on downloaded installers when available
- Be suspicious of search results pointing to unfamiliar download sites
For VPN apps:
- Research the developer before installing
- Check for independent security audits
- Be wary of "unlimited free" services—someone pays for bandwidth
- Review app permissions critically
If you suspect infection:
- Monitor your network for unexpected outbound connections
- Check installed programs for unfamiliar software
- Review device resource usage for unusual patterns
- Consider a full malware scan with updated definitions
Understanding how malware operates helps users recognize suspicious behavior and avoid becoming unwitting participants in criminal infrastructure.
Lurking Lizard's longevity—operating since 2022—demonstrates the profitability of residential proxy schemes and the difficulty of disrupting operations that don't directly steal data or deploy ransomware. The victims often never realize their devices have been compromised.
Related Articles
Fake Claude AI Installer Delivers PlugX RAT via DLL Sideloading
Attackers are distributing PlugX malware through phishing campaigns impersonating Anthropic's Claude AI. The fake installer abuses a legitimate G DATA binary for DLL sideloading.
Apr 22, 2026Attackers Use Bing AI Search to Distribute GhostSocks Malware
Malicious GitHub repositories exploiting Bing AI search results to distribute infostealers and GhostSocks proxy malware. Fake OpenClaw installers turn victims into residential proxies.
Mar 5, 2026VSCode Extensions With 1.5M Installs Exfiltrate Code to China
Two AI coding assistants on Microsoft's marketplace steal source code and credentials in real-time. Extensions use hidden iframes and analytics SDKs to profile developers.
Jan 25, 2026Black Cat Infects 278,000 Hosts in China via SEO Poisoning
Cybercrime group uses fake software downloads and malicious Bing ads to deploy infostealer malware at scale across Chinese systems.
Jan 17, 2026