The Hidden Proxy Empire: How “Lurking Lizard” Turned Millions of Devices Into a Cybercrime Marketplace

Listen to this Post

Featured ImageIntroduction: The Silent Rise of Malicious Residential Proxy Networks

The internet’s underground economy continues to evolve, and cybercriminals are increasingly finding ways to transform ordinary devices into valuable digital assets. From smartphones and home computers to smart appliances, everyday technology has become a target for attackers seeking to build massive residential proxy networks.

A recent investigation uncovered a sophisticated threat actor known as “Lurking Lizard”, which appears to operate a complete cybercrime business model built around secretly hijacking user devices and selling their internet connections to third parties. Instead of providing legitimate privacy services or network routing, the operation allegedly turns infected machines into proxy nodes that can be rented by criminals, fraudsters, and other malicious actors.

The discovery reveals a troubling trend: cybercriminal groups are no longer focused only on stealing data or deploying ransomware. Some are building entire underground businesses where compromised devices become commercial products in a hidden marketplace.

Lurking Lizard: The Threat Actor Behind a Global Proxy Operation

A Malware Campaign Disguised as Popular Software

The investigation into Lurking Lizard began in early 2026 after researchers discovered a malicious campaign pretending to distribute the popular archive utility 7-Zip.

Attackers created a fake website using the domain 7zip[.]com, designed to exploit common user mistakes when searching for the legitimate software. The domain was not randomly selected. It was a “drop-catch” domain that benefited from years of accidental traffic generated by users typing incorrect URLs or searching for unofficial downloads.

This allowed the attackers to create an illusion of legitimacy. Users looking for a familiar tool unknowingly downloaded a modified installer that secretly transformed their computers into proxy servers controlled by criminals.

The victims believed they were installing a harmless application, but behind the scenes their devices became part of a large residential proxy infrastructure.

From Simple Malware to a Full Underground Business Model

The Discovery of a Larger Cybercrime Ecosystem

At first, security researchers believed the fake 7-Zip campaign was an isolated malware distribution event. However, deeper investigation revealed that the operation was much older and significantly more organized.

Infrastructure analysis connected the campaign to activity dating back to August 2022. Researchers discovered repeated patterns across domains, malware samples, and backend systems that indicated a single coordinated operator.

The investigation relied on multiple technical clues, including:

Domain registration records.

Shared developer identities.

Hardcoded malware configuration data.

Similar API structures.

Identical server directories.

Reused tracking mechanisms.

Together, these indicators exposed a sophisticated operation designed not only to infect users but also to monetize their compromised internet connections.

Fake Applications Used as a Gateway Into the Proxy Network

The Role of Malicious Proxyware

The core strategy behind Lurking Lizard’s operation involves distributing applications that appear legitimate while secretly installing proxy software.

Once installed, the malware quietly connects infected devices to a centralized network. The attacker can then sell access to these residential IP addresses, allowing customers to route their internet traffic through real consumer devices.

Residential proxies are valuable because websites often trust them more than traditional hosting-provider IP addresses. Criminal groups use residential proxy networks for activities such as:

Account creation abuse.

Automated scraping.

Advertising fraud.

Credential attacks.

Avoiding geographic restrictions.

Hiding malicious activity.

The stolen bandwidth becomes a profitable commodity in underground markets.

Impersonating Legitimate Proxy Providers

Building Fake Brands to Attract Customers

Lurking Lizard’s operation reportedly went beyond malware distribution. Researchers found evidence that the group created convincing fake proxy service websites designed to imitate legitimate providers.

The attackers reportedly controlled lookalike domains resembling well-known proxy companies, including fake versions of websites associated with proxy services.

The strategy was highly effective because it created an entire supply chain:

Infect ordinary users’ devices.

Collect residential IP addresses.

Build a proxy network.

Advertise access through fake storefronts.

Sell the network to customers.

This represents a mature cybercrime business model where attackers control both the supply and demand sides of the market.

WireVPN: The New Face of the Campaign

A Legitimate-Looking Application With Hidden Risks

According to security researchers, one of the main distribution methods used by Lurking Lizard has evolved into an application called WireVPN.

Unlike traditional malware that spreads through obvious malicious files, WireVPN appears designed to look like a normal consumer privacy application.

The danger comes from its hidden behavior. Researchers identified similarities between WireVPN and previous malware campaigns, including:

Similar installation structures.

Shared persistence methods.

Common backend infrastructure.

Related developer attribution.

The Android version gained significant attention because it reached a large audience through official mobile distribution channels. Reports indicate that the application accumulated more than one million downloads, potentially exposing a large number of users.

A New Era of Cybercrime: Malware as a Service

The Industrialization of Digital Abuse

Lurking Lizard represents a broader shift in cybercrime. Attackers are increasingly adopting business strategies normally associated with legitimate technology companies.

Instead of simply infecting machines for personal use, modern threat actors create scalable platforms.

The underground model now includes:

Malware developers.

Infrastructure operators.

Proxy sellers.

Affiliate distributors.

Customers purchasing access.

This resembles a technology startup ecosystem, except the product is stolen digital resources.

The growth of residential proxy abuse shows how cybercriminals continuously search for new ways to monetize compromised systems.

Deep Analysis: Technical Breakdown and Security Commands

Understanding the Attack Infrastructure

Security teams analyzing similar threats should focus on identifying unusual proxy-related activity and unauthorized network sharing.

Recommended Investigation Commands:

Check suspicious active network connections
netstat -ano

Identify unknown processes

tasklist /svc

Review installed applications

wmic product get name,version

Check startup persistence locations

reg query HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Analyze DNS activity

nslookup suspicious-domain.com

Review active connections by process

netstat -abno
Defensive Analysis Steps:

Monitor unexpected outbound proxy traffic.

Detect applications requesting excessive bandwidth access.

Investigate unknown VPN or networking applications.

Block suspicious domains associated with fake software distribution.

Verify software downloads through official sources only.

Use endpoint detection systems capable of identifying persistence mechanisms.

The Lurking Lizard campaign demonstrates that proxy malware is no longer a simple infection method. It is part of a larger ecosystem involving deception, infrastructure management, and monetization.

What Undercode Say:

Cybercrime has entered a new phase where compromised devices are becoming digital resources traded in underground markets.

The Lurking Lizard operation highlights how attackers are moving beyond traditional malware objectives.

The goal is not always stealing passwords or encrypting files.

Sometimes the victim’s device itself becomes the product.

Residential IP addresses have become extremely valuable because they allow attackers to appear like normal internet users.

This makes malicious proxy networks attractive for fraud operations, automated abuse, and online manipulation.

The most concerning element of this campaign is the professional structure behind it.

The attackers appear to operate like a legitimate technology company, managing domains, applications, marketing channels, and customer relationships.

The use of fake software websites shows how powerful brand imitation has become.

Many users trust familiar names without verifying the source.

A simple typing mistake or search result click can now expose an entire computer to a criminal network.

The WireVPN distribution method demonstrates another important trend.

Attackers are increasingly targeting official-looking platforms because trust is the strongest weapon in social engineering.

A malicious application available through a popular marketplace can reach millions faster than traditional malware campaigns.

Security researchers and technology companies must improve detection of applications that abuse network resources.

Traditional antivirus solutions may not always identify these threats because the software can appear functional.

The future of cybersecurity will require stronger behavioral monitoring.

Organizations should focus on what applications do, not only what they look like.

Residential proxy abuse also creates challenges for internet companies.

A malicious user may appear to come from a real household connection, making detection more difficult.

This creates a constant battle between attackers searching for anonymity and defenders trying to identify abuse.

The Lurking Lizard case proves that cybercrime has become highly commercialized.

The underground economy now includes supply chains, branding strategies, and customer acquisition methods.

Every connected device represents potential value to attackers.

The responsibility for protection must involve users, developers, marketplaces, and security companies together.

✅ Confirmed: Security researchers have documented malicious proxyware campaigns that secretly use infected devices to create residential proxy networks.

✅ Confirmed: Fake software installers and impersonation campaigns are common methods used by cybercriminal groups to distribute malware.

❌ Unconfirmed: Some specific attribution details, including the exact identity and location of the operators behind Lurking Lizard, require additional independent verification.

Prediction

(-1) The abuse of residential proxy networks will likely increase as cybercriminals discover more profitable ways to monetize compromised devices.

(+1) Security companies will improve detection methods by focusing on behavioral analysis, helping reduce the impact of malicious proxy applications.

(-1) Mobile platforms may become a larger target because attackers can reach millions of users through trusted application ecosystems.

(+1) Greater user awareness about downloading software only from official sources will reduce successful fake installer campaigns.

(-1) Underground proxy markets will continue evolving into professional cybercrime businesses with stronger automation and global reach.

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube