Lurking Lizard: The Hidden Criminal Network Turning Fake Software Into a Global Residential Proxy Empire + Video

Listen to this Post

Featured ImageIntroduction: When a Trusted Download Becomes a Gateway for Cybercrime

The internet has created a strange new battlefield where criminals no longer need to break through heavily protected systems. Sometimes, they simply wait for users to invite them in.

A fake download page, a familiar software name, and a convincing application interface can be enough to transform ordinary computers into tools for criminal profit. The Lurking Lizard operation uncovered by threat researchers shows how modern cybercriminal groups are evolving beyond traditional malware attacks. They are building entire businesses around compromised devices, fake brands, fraudulent reviews, and underground proxy markets.

What makes this campaign especially dangerous is not only the malware itself, but the industrial-scale ecosystem behind it. Victims are not just infected. Their devices become invisible infrastructure powering a global network of unauthorized residential proxies.

The Discovery of a Hidden Proxy Criminal Business
A Fake 7-Zip Download Reveals Something Much Bigger

The investigation began when researchers from Infoblox discovered a fake version of the popular archive utility 7-Zip being distributed through the fraudulent website 7zip[.]com, designed to look like the legitimate project hosted at 7-zip[.]org.

At first glance, it appeared to be another malware distribution campaign. However, deeper analysis revealed something far more organized.

The attackers were not simply trying to steal passwords, install ransomware, or spy on users. They were building a criminal residential proxy network by secretly converting infected devices into proxy nodes.

The operation was named Lurking Lizard, representing a threat actor that remained hidden while quietly expanding its infrastructure over several years.

How Residential Proxy Networks Become a Cybercrime Weapon

Turning Victims Into Invisible Internet Gateways

Residential proxies are a legitimate technology used by companies for market research, advertising verification, cybersecurity testing, and other business purposes.

The basic idea is simple. A device connected to the internet can act as a gateway. Traffic from another user passes through that device, making it appear as if it originated from the device owner’s IP address.

However, legitimate residential proxy services require consent.

Lurking Lizard removed that critical requirement.

Instead of asking users to participate, the group secretly installed software that transformed personal computers and mobile devices into proxy nodes. The victims unknowingly provided the internet connections that criminals could later rent to customers.

This created a complete underground business model:

Infect devices.

Build a residential IP pool.

Sell access through fake or manipulated services.

Promote those services using fake review websites.

Continue expanding through new software disguises.

The victims became the supply chain.

More Than 230 Domains Built Around One Criminal Ecosystem

A Massive Infrastructure Network Hidden Behind Fake Brands

Infoblox researchers mapped more than 230 domains connected to Lurking Lizard.

The infrastructure was not random. It was carefully organized into different layers.

Some domains impersonated legitimate software applications, including:

Fake 7-Zip websites.

Fake VPN services.

Fake downloading tools.

Fake mobile applications.

Other domains copied legitimate proxy companies, including names associated with:

IPIDEA.

SmartProxy.

IP Royal.

911Proxy.

The attackers also created fake review websites that appeared to compare proxy providers.

These websites gave the illusion of independent recommendations, but researchers found they were controlled by the same group operating the proxy services.

The criminals essentially created their own advertising network to promote their own stolen infrastructure.

The Smartproxy Impersonation That Fooled Researchers

A Convincing Fake Brand With a Real Business Model

One of the strongest examples involved a domain pretending to be Smartproxy.

The fake website, smartproxy[.]org, claimed to provide affordable access to more than 100 million residential IP addresses.

The problem was that it was not connected to the legitimate Smartproxy business.

The real company operates through the official domain smartproxy[.]com. The fake version was designed to capture users searching for proxy services and redirect them into Lurking Lizard’s ecosystem.

The impersonation was so convincing that even security researchers initially needed additional investigation to identify the deception.

This demonstrates a growing problem in cybersecurity: attackers are no longer only copying software. They are copying entire companies.

The IPLogger Connection: A Small Clue Exposes Years of Activity

Malware Tracking Through a Legitimate Service

One of the most valuable discoveries came from examining hardcoded URLs inside the malware.

Researchers found repeated references to an IPLogger tracking link:

hxxps://iplogger[.]com/mnWD

The same identifier appeared across multiple malware campaigns over several years.

The connection linked together:

Fake 7-Zip installers.

Fake TikTok download tools.

Fake YouTube download tools.

Earlier WireVPN samples.

Newer WireVPN versions.

Instead of building their own tracking infrastructure, the attackers abused a legitimate visitor-tracking service.

This technique reduced operational costs and helped the criminals monitor infections while blending into normal internet activity.

From Fake 7-Zip Malware to WireVPN

The Criminal Operation Rebrands Itself

The most important discovery was that the 7-Zip campaign did not disappear.

It evolved.

The attackers transitioned into a new brand called WireVPN.

At first glance, WireVPN appeared to be a normal VPN application with:

A professional website.

Windows software.

macOS software.

Android and iOS applications.

App store listings.

The Android version reportedly gained more than one million downloads and accumulated over 34,000 reviews.

To ordinary users, it looked like a successful VPN product.

But researchers found behavior inconsistent with legitimate privacy software.

Deep Analysis: Detecting Suspicious Proxy Malware Activity

Investigating Unknown VPN Applications

Security researchers can examine suspicious applications by analyzing network activity, installed files, and system behavior.

Example commands:

Check running processes on Windows
tasklist

Find suspicious network connections

netstat -ano

Check active listening ports

netstat -ab

Review DNS activity on Linux

sudo tcpdump -i any port 53

Search suspicious files

find / -name "wire.exe" 2>/dev/null

Monitoring Unexpected Network Behavior

A normal VPN usually creates a secure tunnel to a selected server.

Suspicious proxy software often behaves differently.

Example:

Monitor active connections
ss -tunap

Inspect outbound traffic

tcpdump -i eth0

Check remote destinations

lsof -i -P -n

Researchers can look for:

Hundreds of outbound connections.

Connections to unrelated IP addresses.

Constant background traffic.

Unknown proxy communication.

Malware File Investigation

The Lurking Lizard samples used similar file structures.

Earlier malware:

C:WindowsSysWOW64herohero.exe

C:WindowsSysWOW64herouphero.exe

WireVPN versions:

C:WindowsSysWOW64wirewire.exe

C:WindowsSysWOW64wireupwire.exe

Security analysts can compare:

sha256sum suspicious_file.exe

strings suspicious_file.exe

objdump -x suspicious_file.exe

These techniques help identify relationships between different malware generations.

The Code Signing Problem: Malware Can Look Legitimate

Valid Certificates Create False Trust

One of the most concerning aspects of WireVPN was the use of a valid code signing certificate.

The Windows samples were signed using a certificate issued to:

WEILAI NETWORK TECHNOLOGY CO., LIMITED.

Code signing certificates are designed to help users trust software.

However, attackers increasingly abuse legitimate certificates or obtain certificates through companies that appear legitimate.

A signed application is not automatically safe.

The question is no longer only:

“Is this application signed?”

The better question is:

“Does this application behave like it should?”

Why WireVPN Did Not Behave Like a Real VPN
A Privacy Tool That Looks Like a Proxy Network

Infoblox researchers analyzed WireVPN’s network behavior and discovered activity inconsistent with normal VPN applications.

A typical VPN:

Creates one encrypted connection.

Connects to selected servers.

Routes user traffic through controlled infrastructure.

WireVPN behaved differently.

It contacted many globally distributed IP addresses shortly after launch.

The application appeared to build a pool of available nodes rather than establishing a normal VPN tunnel.

This suggests the software was designed to provide exit points for third-party traffic.

In simple terms:

Someone else could use your internet connection without you knowing.

The Money Machine Behind Lurking Lizard

How Compromised Devices Became a Profitable Product

The criminal economy behind this operation follows a sophisticated supply chain.

The process works like this:

Users download fake software.

Malware silently installs proxy components.

Devices become residential proxy nodes.

Proxy marketplaces purchase access.

Fake websites promote services.

Criminal customers rent the network.

The attackers created both the product and the marketing system.

They controlled:

Infection methods.

Proxy infrastructure.

Fake brands.

Review websites.

Customer acquisition channels.

This is closer to a cybercrime corporation than a traditional malware campaign.

The China Connection and Registration Evidence

Following Digital Footprints Through Domain Data

WHOIS registration records connected several domains to names associated with China.

Researchers identified names including:

Cheng Li.

Li Hao Cheng.

Li Cheng Liang.

Zhang Cheng Li.

A registration phone number appeared connected to Wuhan, China, although researchers warned that registration information can be manipulated.

Attribution remains complicated because cybercriminals frequently use fake identities, stolen information, and intermediary services.

However, the infrastructure connections strongly suggest that the domains belong to one coordinated operation.

What Undercode Say:

The Rise of Cybercrime as a Subscription Business

Lurking Lizard represents a major evolution in cybercrime.

Attackers are no longer satisfied with one-time infections.

They are building permanent revenue streams.

The victim device becomes an asset.

The malware becomes a business tool.

The fake website becomes a sales platform.

The fake reviews become marketing.

The entire operation resembles a legitimate technology company, except the foundation is stolen consent.

Residential proxy abuse is especially dangerous because it hides criminal activity behind ordinary people’s internet connections.

A fraudster performing attacks through your IP address can make investigators believe you were involved.

This creates legal and privacy risks for victims.

The fake VPN trend is becoming increasingly dangerous.

Many users trust applications because they appear professional.

A clean interface does not mean clean intentions.

The security industry must focus more on behavior analysis instead of appearance.

A signed application can still be malicious.

A popular application can still be harmful.

A million downloads can still represent a security problem.

The biggest lesson from Lurking Lizard is that cybercrime is becoming industrialized.

Attackers are creating ecosystems.

They are building supply chains.

They are optimizing customer acquisition.

They are creating fake competition inside their own markets.

Traditional antivirus detection may miss these campaigns because the malware is designed to appear useful.

The future of cybersecurity will require stronger verification of software origins.

Users should avoid downloading applications from search advertisements, unofficial domains, and unknown marketplaces.

Security teams should monitor unusual outbound traffic patterns.

Organizations should treat unauthorized proxy behavior as a serious incident.

The internet economy depends on trust.

Operations like Lurking Lizard attack that trust at its foundation.

✅ Confirmed: Infoblox researchers documented the Lurking Lizard operation, connecting fake software campaigns with residential proxy abuse infrastructure.

✅ Confirmed: The investigation identified more than 230 related domains and linked older fake software campaigns with WireVPN activity.

✅ Confirmed: Security analysis showed WireVPN behavior differed from normal VPN software, indicating possible residential proxy functionality rather than privacy protection.

Prediction

(+1) Cybersecurity companies will increasingly develop tools that analyze application behavior instead of relying only on signatures and reputation scores.

(+1) Software verification systems and trusted download ecosystems will become more important as criminals continue creating realistic fake applications.

(-1) Criminal groups will likely continue abusing VPN branding, AI-generated websites, and fake reviews because these methods are inexpensive and highly effective.

(-1) Residential proxy abuse will become a larger threat as attackers search for ways to hide malicious activity behind innocent users’ internet connections.

(+1) Public awareness about downloading software only from official sources will improve as more large-scale campaigns are exposed.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube