Full Report
Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the
Analysis Summary
# Threat Actor: Lurking Lizard
## Attribution & Identity
* **Actor Identification:** Lurking Lizard (dubbed by Infoblox).
* **Origin:** Highly likely China-based, according to WHOIS analysis and infrastructure fingerprinting.
* **Known Associations:** Linked to the development and maintenance of the malicious residential proxy ecosystem previously associated with providers like IPIDEA.
* **Identified Firms:** WEILAI NETWORK TECHNOLOGY CO., LIMITED (U.K.-registered entity used as a front for mobile app distribution).
## Activity Summary
Lurking Lizard operates an end-to-end, illicit residential proxy business active since at least August 2022. Their operation follows a two-stage lifecycle: recruiting victim devices into a botnet via trojanized installers/apps, and then monetizing that bandwidth by selling it through fake or lookalike proxy service brands. Recent campaigns have leveraged trojanized 7-Zip installers and mobile VPN apps to grow their proxy pool.
## Tactics, Techniques & Procedures
* **Drop-Catching:** Acquiring expired domain names to inherit their historical search engine ranking and legitimacy.
* **Lookalike Domains (Typosquatting):** Exploiting common misspellings or unofficial domains (e.g., using `7zip[.]com` instead of the official `7-zip[.]org`).
* **Malicious Search Optimization:** Using "independent" proxy review sites and tutorial content to drive traffic to their own malicious storefronts and installers.
* **Social Engineering:** Impersonating legitimate brands and major proxy providers to deceive users into downloading software.
* **Supply Chain Impersonation:** Distributing trojanized versions of popular software (7-Zip, WhatsApp).
* **Multi-Platform Targetting:** Utilizing desktop installers and mobile application stores (Google Play) to recruit nodes.
## Targeting
* **Sectors:** Primarily targeting individual home users (Residential) to build a "residential proxy" network.
* **Geography:** Global distribution, with specific links to China-based infrastructure and a U.K.-registered front company.
* **Victims:** General internet users seeking 7-Zip, WhatsApp, TikTok/YouTube downloaders, or VPN services.
## Tools & Infrastructure
* **Malware:** Trojanized installers (7-Zip, WhatsApp, WireVPN) and malicious Android applications.
* **Monitoring/Tracking:** Use of IPLogger URLs for campaign tracking.
* **Infrastructure:**
* Over 230 lookalike domains.
* `7zip[.]com` (Fake installer host).
* `iplogger[.]com/mnWD` (Tracking URL).
* `SmartProxy[.]org` (Lookalike brand/storefront).
* Impersonation of: IPIDEA, IP Royal, 911Proxy, Decodo.
* Mobile App: "wirevpn - Fast Unlimited Proxy" (com.wirevpn.freevpn).
## Implications
Lurking Lizard represents a sophisticated "Cybercrime-as-a-Service" (CaaS) model. By turning consumer devices into residential proxy nodes, they provide cover for other threat actors to conduct credential stuffing, web scraping, and DDoS attacks while appearing to be legitimate residential traffic. Their ability to manage the entire lifecycle—from malware development to marketing via fake review sites—demonstrates a highly professionalized criminal operation.
## Mitigations
* **Source Verification:** Always download software from official developer websites (e.g., `7-zip.org` rather than `.com`).
* **DNS Filtering:** Block known lookalike domains and domains associated with "drop-catching" or illicit proxy marketing.
* **Endpoint Protection:** Use EDR/AV solutions to detect unauthorized proxy software or unexpected outbound traffic patterns (SOCKS5/proxy protocols).
* **Mobile Security:** Inspect Android applications for unexpected background data usage and avoid third-party or unverified VPN providers.
* **Corporate Awareness:** Educate employees on the risks of "free" VPNs and unofficial software installers that can turn company hardware into botnet nodes.