A Sprawling Proxy Botnet Hidden in Plain Sight
A sophisticated and long-running cybercriminal operation has been quietly conscripting ordinary devices — laptops, smartphones, and potentially smart TVs — into an unauthorized residential proxy network, leveraging fake software installers, counterfeit VPN applications, and an elaborate ecosystem of deceptive websites. The threat actor behind the campaign, dubbed Lurking Lizard by DNS threat intelligence firm Infoblox, has been active since at least August 2022 and operates what researchers describe as an end-to-end residential proxy malware business — one that recruits victims, monetizes their bandwidth, and markets the resulting network through fake storefronts, all under the same criminal umbrella.
The scale is significant. Infoblox's analysis identified more than 230 lookalike domains used as part of the infrastructure, while a related mobile application branded as a VPN — "wirevpn - Fast Unlimited Proxy," attributed to a UK-registered entity called WEILAI NETWORK TECHNOLOGY CO., LIMITED — has accumulated more than one million downloads. Whether those installs are organic remains unclear, but the figures underscore the operational reach of what researchers are calling one of the more architecturally complete proxy fraud schemes observed in recent years.
How Lurking Lizard Recruits Victims Through Fake Software
The most documented entry point involves a trojanized installer for 7-Zip, the widely used open-source file compression utility. Victims were directed to a domain named "7zip[.]com" — a deliberately chosen near-miss of the legitimate "7-zip[.]org" — where they downloaded what appeared to be a standard installer. In reality, the package covertly enrolled the device as a proxy exit node, routing third-party network traffic through the victim's IP address without their knowledge or consent.

This technique — exploiting typosquatted or misreferenced domain names — is deceptively effective. Many users encountering a tutorial or search result linking to "7zip.com" would have no reason to question its legitimacy. Further analysis of an IPLogger URL embedded in the 7-Zip campaign samples revealed the same underlying infrastructure was also being used to distribute fake installers for WhatsApp, tools falsely marketed as TikTok and YouTube downloaders, and WireVPN — pointing to a coordinated multi-product distribution strategy rather than a one-off campaign.
According to The Hacker News, victims in the 7-Zip campaign were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains — a combination that speaks to the actor's understanding of how users actually find and download software. For IT decision makers and security professionals, this highlights a critical and persistent vulnerability: the gap between how users expect software distribution to work and the reality of what search engines and tutorial sites may serve them.
"Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network."
— Infoblox Threat Intelligence Research TeamDrop-Catching, Impersonation, and the Art of Borrowed Legitimacy
What distinguishes Lurking Lizard from many opportunistic threat actors is the sophistication of its domain acquisition strategy. The group is known to practice drop-catching — the technique of acquiring expired domains precisely to inherit their accumulated SEO history, backlink profiles, and residual trust signals. Rather than building credibility from scratch, the actor purchases legitimacy wholesale, using aged domains that search engines and users are already inclined to trust.
The group also actively impersonates established residential proxy providers, including IPIDEA, SmartProxy (now rebranded as Decodo), IP Royal, and 911Proxy. Notably, IPIDEA's infrastructure was dismantled by Google in an operation earlier this January, underscoring the fluid and adversarial relationship between major platform operators and these proxy networks. Further complicating the landscape, research by Proxyway found that 773,087 unique IP addresses linked to SmartProxy also appeared in a publicly available IPIDEA IP dataset comprising more than 16 million unique IPs — suggesting that the lines between legitimate proxy providers and criminal infrastructure may be blurrier than many enterprise buyers assume.
Beyond impersonating providers directly, Lurking Lizard runs fake "independent" review websites designed to funnel traffic toward its own scam storefronts. This creates a self-reinforcing ecosystem: victims find the malicious software through seemingly credible tutorials and search results, while potential proxy service customers are directed to Lurking Lizard's fake brands through equally fabricated review content. WHOIS analysis and infrastructure fingerprinting conducted by Infoblox suggest the actor is based in China, and the operation also uses popular VPNs and services like HeroSMS as decoys to distribute the proxy malware further.
The Mobile Dimension: VPN Apps as Residential Proxy Malware Vectors
The campaign's expansion into mobile represents a significant escalation in scope. The WireVPN branding — applied to applications targeting Android, macOS, and Windows — illustrates the actor's intent to build cross-platform coverage. The Android application "wirevpn - Fast Unlimited Proxy," developed under the UK-registered entity WEILAI NETWORK TECHNOLOGY CO., LIMITED, had surpassed one million downloads at the time of reporting.

Researchers have not yet confirmed whether the proxy exit-node functionality present in the desktop variants is replicated in the mobile applications, but the possibility carries serious implications. VPN apps, by their nature, already request broad network permissions — making them an ideal vessel for covert proxy functionality that would be difficult for users to detect or distinguish from expected behavior. For privacy professionals and developers building applications on top of third-party SDKs or leveraging mobile VPN libraries, this underscores the need for rigorous supply chain vetting.
The concern is not merely theoretical. As Wired and other outlets have reported extensively, residential proxy networks built on compromised devices are frequently used to launder the origins of malicious traffic, bypass geo-restrictions, conduct credential stuffing attacks, and evade fraud detection systems — all while the device owner remains entirely unaware that their home IP address is being used as a launchpad.
Lurking Lizard vs. NetNut: Two Proxy Botnets Compared
The Lurking Lizard disclosure arrives just days after Google announced it had significantly disrupted the NetNut (also known as Popa) residential proxy network — a separate but structurally similar operation that turned at least 2 million devices, including smart TVs and streaming boxes, into unauthorized traffic conduits. NetNut achieved this through malware-laced SDKs that were either pre-installed on devices before purchase or bundled within apps containing hidden proxy code. The proximity of these two disclosures points to a broader industry reckoning with the scale and sophistication of the residential proxy fraud ecosystem.
| Attribute | Lurking Lizard | NetNut / Popa |
|---|---|---|
| Primary vector | Trojanized installers, fake VPN apps | Malware-laced SDKs, pre-installed apps |
| Target devices | Windows, macOS, Android | Smart TVs, streaming boxes |
| Known scale | 230+ domains; 1M+ mobile downloads | At least 2 million devices |
| Monetization model | Fake proxy service brands + review sites | Proxy network resale |
| Disrupted by | Ongoing (Infoblox disclosure) | Google (announced recently) |
| Suspected origin | China (WHOIS / infrastructure analysis) | Not publicly attributed |
Google's statement accompanying the NetNut takedown is worth quoting in context: "This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers." The same risk applies in full to Lurking Lizard's victims — and extends to any organization whose systems those residential IPs interact with.
GDPR and Data Sovereignty Implications for European Users and Businesses
For privacy professionals and compliance teams operating under the General Data Protection Regulation, the Lurking Lizard campaign raises a set of uncomfortable questions that go beyond individual device security. When a device enrolled in a proxy botnet is located within the EU, its IP address — and the traffic flowing through it — may originate from or transit through systems that process personal data. If that traffic involves third-party browsing sessions, login flows, or API calls, it could implicate the device owner's infrastructure in unauthorized data processing activities they have no visibility into.
Originally reported by RSS App New Cybersecurity Feed. Summarised and curated by European Purpose.