Listen to this Post

Introduction
The cybercrime ecosystem has evolved far beyond traditional malware attacks. Modern threat actors are no longer interested in simply stealing passwords or encrypting files for ransom. Instead, they are building sophisticated underground businesses that monetize infected devices for years without victims ever realizing their systems have been compromised.
Security researchers have now uncovered one of the most organized examples of this trend. A threat actor known as Lurking Lizard has allegedly spent years constructing an extensive residential proxy infrastructure by disguising malware as trusted software downloads, impersonating legitimate proxy providers, and exploiting expired internet domains to gain users’ trust. Rather than focusing on quick attacks, the operation appears to function as a complete commercial ecosystem, where compromised devices become valuable assets that generate continuous revenue.
The investigation reveals an operation stretching back to at least 2022, involving hundreds of deceptive domains, fake review websites, malicious installers, counterfeit VPN applications, and proxy services designed to silently route internet traffic through unsuspecting victims across the globe.
A Sophisticated Criminal Business Hidden Behind Trusted Software
According to cybersecurity researchers at Infoblox, the threat actor called Lurking Lizard has established what appears to be a fully integrated malicious residential proxy business.
Unlike conventional malware campaigns that focus solely on stealing sensitive information, this operation allegedly transforms compromised computers into proxy exit nodes. Once infected, these systems quietly relay internet traffic on behalf of third parties, allowing criminals to hide their real locations behind innocent users’ residential internet connections.
Researchers identified more than 230 lookalike domains associated with the infrastructure, demonstrating an unusually large investment in deception and long-term operational planning.
How Fake 7-Zip Installers Became the Perfect Infection Method
One of the
Instead of downloading software from the legitimate website, victims were redirected to the deceptive domain 7zip[.]com, a subtle variation that many users could easily mistake for the official project.
The downloaded installer appeared completely legitimate while secretly installing malware capable of enrolling the victim’s computer into the operator’s residential proxy network.
This type of attack relies less on technical vulnerabilities and more on human trust, making it significantly harder for average users to recognize.
Impersonating Legitimate Proxy Companies
The investigation found that Lurking Lizard allegedly cloned several well-known residential proxy providers to increase credibility.
Among the brands impersonated were:
IPIDEA
SmartProxy (now Decodo)
IP Royal
911Proxy
The actor reportedly went beyond simply copying websites.
Researchers discovered fake comparison pages and supposedly independent review websites that promoted the fraudulent proxy services while steering potential customers toward attacker-controlled storefronts.
This marketing strategy resembles legitimate affiliate advertising but operates entirely within a criminal ecosystem.
Evidence Suggests Links to Chinese Infrastructure
WHOIS registration records, infrastructure fingerprints, and technical indicators suggest the operation may originate from China.
Researchers caution that attribution remains difficult in cyber investigations, but multiple infrastructure patterns point toward a China-based operation.
The campaign also leveraged services such as HeroSMS while using numerous VPN-related themes to disguise its activities and reduce suspicion.
Expired Domains Become Powerful Cyber Weapons
Perhaps one of the
Instead of registering completely new domains, attackers actively monitor valuable domains until they expire.
Once ownership lapses, they immediately purchase the domains, inheriting years of accumulated trust, backlinks, search engine rankings, and internet reputation.
To unsuspecting visitors, these domains often appear far more legitimate than newly registered websites.
Combined with minor spelling differences, this dramatically increases the chances that victims will unknowingly download malware.
A Growing Collection of Fake Software
Further investigation uncovered that the infrastructure extended well beyond fake 7-Zip installers.
Researchers identified malicious installers pretending to be:
TikTok downloader utilities
YouTube downloader software
WireVPN
Various VPN applications
These fake downloads all appeared to serve the same overall objective: silently recruiting additional devices into the expanding residential proxy network.
Android Applications Raise New Questions
The campaign has also expanded into the Android ecosystem.
Researchers identified an application named WireVPN – Fast Unlimited Proxy, published under a company called WEILAI NETWORK TECHNOLOGY CO., LIMITED.
The application has reportedly accumulated over one million downloads, although researchers have not confirmed whether those installations resulted from genuine user interest, paid promotion, or deceptive marketing techniques.
At present, investigators have not verified whether the Android application contains the same residential proxy functionality observed in desktop variants.
However, its existence demonstrates that the operators continue adapting their distribution strategy to reach broader audiences.
A Two-Stage Criminal Business Model
Unlike isolated malware campaigns, Lurking Lizard appears to operate an organized commercial pipeline.
Stage One: Device Recruitment
Victims unknowingly install trojanized software or deceptive applications.
Their computers then become proxy exit nodes under attacker control.
Stage Two: Commercial Monetization
The attackers package those compromised residential IP addresses into proxy services that are marketed through cloned brands, fake reviews, and convincing commercial websites.
Instead of immediately exploiting victims, the attackers transform every infected device into a long-term income-generating asset.
Why Residential Proxy Networks Are So Dangerous
Residential proxy networks provide cybercriminals with genuine household IP addresses.
This makes malicious activity far more difficult for security systems to detect because the traffic appears to originate from ordinary internet users rather than suspicious hosting providers.
These networks are frequently abused for:
Credential stuffing
Web scraping
Ad fraud
Spam campaigns
Financial fraud
Account creation abuse
Distributed attacks
Identity masking
Victims often remain unaware while their internet connection is quietly being used by strangers.
Connections to Broader Industry Investigations
The disclosure arrives shortly after Google announced significant disruption of the NetNut (Popa) residential proxy infrastructure.
According to
Google warned that infected households could unknowingly become launch points for cyberattacks, causing their legitimate internet traffic to appear suspicious to internet providers and online services.
The similarities between these operations illustrate a broader shift within cybercrime toward building scalable residential proxy businesses instead of conducting isolated malware campaigns.
What This Means for Everyday Users
The Lurking Lizard investigation highlights an uncomfortable reality.
Today, downloading software from unofficial websites carries risks far beyond traditional viruses.
A single deceptive installer may quietly convert an ordinary home computer into infrastructure supporting criminal operations worldwide.
Because residential proxy malware often avoids obvious destructive behavior, victims may never notice anything unusual beyond occasional performance degradation or unexplained network activity.
This evolution demonstrates how cybercriminal organizations increasingly resemble legitimate technology companies, complete with marketing departments, customer acquisition strategies, branding campaigns, and monetization pipelines.
The distinction is that every component of the business relies upon compromising innocent users and selling unauthorized access to their internet connections.
What Undercode Say:
The Lurking Lizard campaign represents one of the clearest examples of cybercrime evolving into a mature business ecosystem rather than a traditional hacking operation.
What stands out is not merely the malware itself, but the operational discipline behind the campaign. Managing more than 230 domains requires planning, automation, infrastructure management, financial investment, and continuous maintenance.
The attackers understand psychology better than many legitimate marketers.
They
They manipulate search results.
They purchase trusted expired domains.
They clone reputable companies.
They create fake review websites.
They exploit brand familiarity.
This is social engineering operating at industrial scale.
Another remarkable aspect is persistence.
Many malware campaigns disappear after a few weeks.
This operation reportedly remained active for several years.
That suggests stable revenue.
Residential proxies have become valuable commodities within underground markets.
Instead of stealing data once, attackers continuously monetize every infected device.
The comparison with legitimate SaaS companies is difficult to ignore.
Victim acquisition resembles customer acquisition.
Botnet expansion resembles user growth.
Proxy subscriptions resemble recurring revenue.
Fake reviews resemble affiliate marketing.
Everything is organized like a commercial enterprise.
Defenders should also recognize that antivirus software alone cannot stop these attacks.
User education remains equally important.
Organizations should monitor outbound connections.
DNS filtering can block lookalike domains.
Application allow-listing reduces unauthorized installers.
Endpoint Detection and Response (EDR) solutions should monitor unexpected proxy services.
Network segmentation limits lateral movement.
Threat intelligence feeds can rapidly identify emerging infrastructure.
Browser protection mechanisms should warn users about suspicious domains.
Employees must verify official download sources before installing software.
Consumers should avoid downloading software from search advertisements without verification.
Developers should digitally sign applications.
Companies should actively monitor domain typosquatting targeting their brands.
Law enforcement agencies must continue dismantling malicious infrastructure before these networks grow further.
Residential proxy abuse will likely remain a significant cybersecurity challenge because the financial incentives remain extremely attractive.
Unless both technical defenses and user awareness improve together, similar operations will continue emerging under new names.
Deep Analysis
Understanding how campaigns like this operate can help defenders detect malicious activity before systems become part of a proxy botnet.
Verify official download sources
whois 7-zip.org dig 7-zip.org
Investigate suspicious domains
whois suspicious-domain.com nslookup suspicious-domain.com host suspicious-domain.com
Review active outbound network connections
netstat -tulnp ss -tunap lsof -i
Monitor unusual processes
ps aux top htop
Inspect DNS resolution
cat /etc/resolv.conf resolvectl status
Capture suspicious network traffic
tcpdump -i any
Detect unexpected persistence mechanisms
systemctl list-unit-files crontab -l
Review recently modified executable files
find / -type f -mtime -7 2>/dev/null
Check file integrity
sha256sum installer.exe
Verify executable signatures
signtool verify installer.exe
From a
✅ Researchers at Infoblox disclosed the Lurking Lizard operation and linked it to a large infrastructure of lookalike domains used for a malicious residential proxy business.
✅ The campaign reportedly distributed trojanized installers impersonating trusted software and proxy providers, while using fake review sites to attract victims and customers.
✅ Although technical indicators suggest a possible China-based origin, attribution in cyber investigations is inherently complex and should be treated as an assessment rather than definitive proof.
Prediction
(-1) Negative Prediction
Residential proxy botnets will continue expanding as cybercriminals increasingly favor long-term monetization over traditional malware campaigns.
More fake software portals and cloned VPN services are likely to appear, targeting users who download applications from unofficial sources.
Security vendors, browser developers, and domain registrars will strengthen detection of typosquatting and malicious proxy infrastructure, but attackers will continue adapting with new domains, branding, and distribution techniques.
▶️ Related Video (70% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




