At a Glance
- Actor or Group: Lurking Lizard (suspected Chinese origin)
- Activity Type: Malware distribution, Proxyware, Botnet creation
- Targets or Victims: Windows and mobile device users seeking utility software
- Scale: Actor claims ~2 million active nodes
- Jurisdiction or Law-Enforcement Status: Unconfirmed; private research disclosure
- Source: Infoblox Threat Intel
TL;DR
A threat actor tracked as Lurking Lizard is allegedly tricking users into downloading fake software to build a massive proxy botnet. The group hides malicious proxyware inside installers for popular tools like 7-Zip and WireVPN. This scheme allows them to rent out victims’ bandwidth to third parties without any clear consent.
What Happened
In early 2026, security researchers discovered a fake version of the 7-Zip archive utility. This discovery quickly exposed a massive malicious proxy network. The threat actor uses lookalike domains to distribute trojanized software. Victims download what they assume are normal applications. Consequently, they silently install proxyware onto their devices.
The group utilizes misspelled domains like 7zip[.]com to fool visitors. They also impersonate VPN services and virtual phone number providers. Once infected, a victim’s computer immediately joins a massive pool of residential proxies. The actor then rents out this network access. Customers ultimately buy this bandwidth for activities ranging from AI scraping to cybercrime.
According to the report, “The threat actor uses trojanized software to recruit victim machines as residential proxy nodes, providing just enough functionality to appear legitimate and keep users from uninstalling it.” Researchers from Infoblox detailed this ongoing operation in a recent threat intelligence report.
Drop-Catching Domains
Lurking Lizard relies heavily on a technique called drop-catching. They specifically acquire expired domains with established internet histories. For instance, users mistakenly linked the incorrect 7-Zip website in technical forums for over a decade. The attackers bought this exact domain to inherit its existing search engine trust.
Analysts also located a hardcoded IPLogger URL inside the malware files. This tool functions as a hidden telemetry beacon. Therefore, it allows the attackers to track victim IP addresses, device types, and geographic locations. This specific clue connected older malware samples directly to the modern campaign.
Who is Behind It
Security analysts track the responsible operator under the name Lurking Lizard. Technical evidence heavily suggests the actor operates from China. WHOIS registration records revealed names like “Cheng Li” tied to multiple malicious domains. Furthermore, a phone number linked to the core infrastructure uses a Wuhan area code.
The actor currently maintains a vast portfolio of over 230 registered domains. They do not merely infect random devices. They also run fake review websites like proxyreviews[.]org to promote their own illegal businesses. The overarching operation spans multiple years. Indeed, infrastructure records date the activity back to at least August 2022.
Impact or Scale
The overall scale of this malicious proxy network is enormous. Lurking Lizard publicly claims to control roughly two million active IPv4 addresses. They monetize this vast network through spoofed proxy service brands. For example, they currently operate smartproxy[.]org to mimic a totally separate, legitimate company.
The primary source states, “This blog tells the story of a bad actor who operates an end-to-end malicious proxy business grounded in a collection of clever lookalike domains.”
Mobile applications further expand their operational reach. An Android app named WireVPN currently boasts over one million downloads on the Google Play store. While those numbers remain unverified, they certainly indicate a broad infection pool. Victims unknowingly pay the ultimate price. Their personal internet bandwidth is hijacked and sold to anonymous buyers.

Unusual Network Traffic
Network traffic analysis proves the WireVPN application acts highly suspiciously. Upon launch, the software sends ping requests to numerous globally distributed IP addresses. It does not ever create a standard secure tunnel. Instead, it establishes multiple concurrent connections across various actor-controlled internet hosts.
This distinct behavior strongly confirms the application functions as a proxy node. It actively routes external internet traffic straight through the victim’s home IP address. This residential proxy ecosystem mimics legitimate businesses while hiding its true nature.
What Comes Next
Lurking Lizard regularly updates and evolves its primary tactics. They are actively using the WireVPN brand right now to lure new victims. To stay protected, internet users must diligently verify all software sources. Always download applications exclusively from official developer websites.
You should check domain names carefully for very subtle typos. Use reliable security software to scan all new downloads before opening them. Network administrators must monitor internal systems for unusual ICMP requests or unexpected traffic routing patterns. Security awareness truly remains the absolute best defense against this specific threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.