Lurking Lizard Group Hijacks User Devices for Proxy Network

Dominic Jainy stands at the intersection of emerging technology and cybersecurity, bringing years of hands-on experience with artificial intelligence and distributed systems to the table. As an IT professional who has watched the evolution of blockchain and machine learning, he possesses a keen eye for how decentralized networks can be co-opted by malicious actors. In this conversation, we dive into the sophisticated tactics of a threat group known as Lurking Lizard, exploring how they turned a simple file utility into a global proxy engine. We will explore the mechanics of domain reputation hijacking, the transition from desktop software to massive mobile app store infections, and the specific technical breadcrumbs that allowed researchers to map out an infrastructure consisting of hundreds of fraudulent sites.

The “Lurking Lizard” operation famously utilized a technique known as drop-catching to hijack the reputation of the 7-zip[.]com domain. Could you walk us through how this specific tactic bypasses traditional security intuition and why it was so effective in this campaign?

The brilliance, or rather the deviousness, of drop-catching lies in its ability to exploit the “memory” of the internet. When Lurking Lizard snatched up 7zip[.]com, they weren’t just buying a name; they were inheriting years of accidental credibility from online forums where users had mistakenly linked to that domain instead of the official 7-zip[.]org. This created a sense of misplaced trust that is incredibly difficult for the average user to spot, as the domain had a pre-existing search engine reputation that felt legitimate. By the time researchers caught on in early 2026, the group had already been operational since at least August 2022, proving that this wasn’t a fly-by-night scam but a calculated, long-term investment. It is a chilling realization that some of the domains tied to this actor were registered as far back as 2004, showing a level of patience and strategic planning that most hackers lack. When a user lands on a site that has been referenced for a decade, their guard naturally drops, making them the perfect target for a fake installer that looks and feels exactly like the real thing.

Once a victim inadvertently installs this modified software, their machine becomes part of a residential proxy network. From a technical and performance standpoint, what does this actually look like for the user, and how does the malware hide its activities?

On the surface, everything might seem normal, but underneath the hood, the malware is essentially auctioning off your home’s internet connection to the highest bidder. The software quietly installs a proxy manager that rents out your bandwidth, turning your personal computer into an exit point for someone else’s web traffic. In the case of their mobile evolution, WireVPN, the app was observed pinging a massive number of unrelated IP addresses and holding multiple simultaneous connections open. This type of high-volume network chatter is a dead giveaway for proxy activity, yet it is often masked by the app’s purported function of “protecting” the user. It creates a heavy toll on the device’s resources, often leading to slower speeds and mysterious data usage spikes that the victim can’t quite explain. The most insidious part is that the malware creators even used valid-looking code signing certificates from registered companies to ensure that the operating system wouldn’t throw up any red flags during the initial installation.

Researchers identified over 230 domains linked to this single actor. What were the specific technical artifacts or “smoking guns” that allowed them to connect such a massive, seemingly unrelated network of fake VPNs and download tools?

Unmasking an operation of this scale requires finding a single thread and pulling on it until the whole tapestry unravels, and in this case, the smoking gun was a hardcoded IPLogger tracking link. This specific telemetry beacon was buried deep within the malware samples, serving as a digital fingerprint that tied the 7-Zip campaign to other lures like YouTube and TikTok downloaders. Once Infoblox analysts had that link, they began seeing the same patterns everywhere: shared WHOIS registrant names, matching tracker codes, and backend server structures that were virtually identical across dozens of domains. It wasn’t just a few sites; they found 230 domains that formed a comprehensive, end-to-end proxy business. They even found that the actors were running their own fake independent proxy review sites, like proxyreviews[.]org, to funnel even more unsuspecting users into their ecosystem. All signs point to a highly organized operation based in China, given the recurring registration details and backend API structures like api.betflixfree[.]net and api.wirevpn[.]app.

The group eventually pivoted from desktop software to mobile platforms with an app called WireVPN, which managed to rack up over a million downloads on Google Play alone. How does this shift change the threat landscape for residential proxy networks?

The shift to mobile represents a massive escalation in the “Lurking Lizard” strategy because it taps into a user base that is often less skeptical than desktop power users. With over one million downloads on Android, WireVPN provided the attackers with a massive, geographically diverse pool of residential IP addresses that are highly prized by those looking to bypass geo-blocks or scrape data. Unlike a desktop computer that might be turned off at night, a smartphone is almost always on and connected, providing a more consistent and reliable proxy node for the group’s paying customers. Testing showed that WireVPN wasn’t even acting like a real VPN; it was simply a front to facilitate traffic forwarding, using benign-looking hosts like abc.breakoursilence[.]com to hide its true purpose. This move into the official Apple and Google app stores shows that these actors are capable of bypassing the initial automated vetting processes of even the biggest tech giants. It forces us to rethink our definition of a “safe” app, because even if a program functions as advertised, it could be doing something far more predatory in the background.

What is your forecast for the evolution of these residential proxy businesses and the tactics used by groups like Lurking Lizard?

I believe we are entering an era where the monetization of “digital exhaust”—your bandwidth, your processing power, and your IP reputation—will become the primary goal for mid-tier cybercriminal syndicates. We will likely see these actors move away from obvious malware and toward “grayware” that hides in plain sight within popular open-source tools or “free” utilities that people use every day. As security teams get better at tracking IPLogger links and WHOIS data, I expect these groups to use AI to generate thousands of unique, slightly mutated installers and domains to make pattern recognition nearly impossible. The “Lurking Lizard” model of rebranding and resurfacing under new names like WireVPN after being exposed will become the standard operating procedure for these global proxy storefronts. Users will need to become much more forensic about their software choices, looking past the “one million downloads” badge and investigating the actual network behavior of their apps, or they risk becoming an unwitting cog in a massive criminal infrastructure.

Explore more

Can the iQOO Z11 Lite Disrupt the Budget 5G Market?

The rapid evolution of mobile connectivity has reached a pivotal juncture where consumers no longer have to sacrifice performance for affordability in the competitive Indian smartphone landscape. As 5G infrastructure expands across urban and rural corridors, the demand for entry-level devices that offer premium-feeling features has surged exponentially. Into this environment steps the iQOO Z11 Lite, a device that promises

Trend Analysis: Private 5G Enterprise Networks

Traditional public cellular infrastructures are increasingly failing to meet the rigorous demands of heavy industry, prompting a massive migration toward dedicated, high-performance private corridors. As the smart factory transitions from a conceptual blueprint into a high-speed operational reality, the demand for ultra-reliable communication has never been more acute. In an environment where data sovereignty and ultra-low latency are considered non-negotiable

CrowdStrike Identifies New AI Prompt Injection Tactics

Dominic Jainy is a seasoned IT professional whose expertise spans the intricate realms of artificial intelligence, machine learning, and the decentralized security of blockchain. With a career dedicated to exploring how these transformative technologies can be safely integrated into the corporate world, Jainy offers a rare perspective on the emerging vulnerabilities of autonomous systems. In this discussion, we delve into

Will Apple Use Blacklisted Chinese Chips for iPhone 18?

Introduction The delicate dance between maintaining premium hardware margins and navigating the increasingly volatile landscape of international trade restrictions has forced tech giants to rethink their entire supply chain structures. As the industry prepares for the next generation of mobile devices, specific discussions have emerged regarding a potential shift in how critical memory components are sourced for the upcoming flagship

Multiple Payment Options vs. Payment Friction: A Comparative Analysis

The ability to secure timely payments acts as the ultimate lifeblood for any growing enterprise, yet many organizations inadvertently throttle their own growth by maintaining outdated, high-friction collection processes. While a business may deliver exceptional value and maintain strong client relationships, the physical and digital obstacles placed between an invoice and its settlement can create devastating bottlenecks in liquidity. When