Technology
Jul 8, 2026


The compromise usually looks small at first. A person searches for a familiar piece of software, clicks the top result, and installs what they believe is the real thing. In the case documented by Infoblox Threat Intel, that small decision quietly enrolled the victim's device into a global network that rents out its bandwidth to strangers. The installer looked like 7-Zip, the widely used file compression tool. It was not. And the operation behind it turned out to be far larger than a single fake download.
[For more news, click here]
Infoblox researchers, working from an office in Dubai, traced the campaign back through years of infrastructure to a threat actor the company now tracks as Lurking Lizard, connecting it to more than 230 domains used to infect devices, operate proxy infrastructure, impersonate established proxy providers, and market the resulting access. The finding reframes what looked like an isolated malware story into something closer to a functioning business, one with acquisition, distribution, and monetization arms that mirror a legitimate company's org chart.
Residential proxies let a customer route internet traffic through someone else's home connection, a service with legitimate uses in market research and ad verification but one increasingly exploited to mask fraud, scraping, and account takeover attempts. Legitimate proxy providers typically build their networks through affiliate programs that pay app developers to bundle bandwidth-sharing code. Infoblox's research shows Lurking Lizard achieving the same result without consent, using trojanized software instead of a paid partnership.
“What matters here is not one fake installer, but the business model behind it,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “When criminal services can scale by borrowing trust from consumer software, app stores and review sites, the risk moves beyond the security team. It becomes an operations, fraud and brand issue for every company online.”
What distinguishes this operation from a typical malware campaign is how deliberately it manufactures legitimacy. Researchers found that the actor acquired expired domains through a technique called drop-catching, picking up addresses with years of accumulated search history so a malicious installer would appear as trustworthy as the software it copied. They also found lookalike domains built to impersonate established proxy brands, alongside review sites designed to look independent while quietly steering traffic back to the actor's own storefronts.
That layered approach helps explain why the operation went undetected for as long as it did. A single trojanized installer draws scrutiny once discovered. A network of aged domains, familiar branding, and seemingly organic reviews is built precisely to avoid that scrutiny in the first place.
Infoblox's team pieced the operation together through domain registration data and a tracking link embedded in the malware's code, connecting campaigns that on the surface looked unrelated, including tools posing as video downloaders and, more recently, installers branded as a VPN called WireVPN. Registration records pointed to a cluster of variant names built around Cheng Li, alongside a contact number whose country and area code trace to Wuhan, China, if accurate. Outside researchers have separately linked infrastructure connected to the actor to IPIDEA, a major Chinese proxy provider that was targeted by a coordinated industry and law enforcement action earlier this year.
That connection points to a pattern seen elsewhere in the proxy market this year. Even after IPIDEA's disruption, smaller resellers built on top of similar compromised device pools have continued operating largely unaffected, illustrating how difficult it remains to dismantle this corner of the internet's shadow economy once it takes root.
The WireVPN-branded applications tied to the operation are not confined to obscure corners of the web. They carry listings on both the Apple App Store and Google Play, with the Android version alone reporting more than a million downloads. Infoblox's traffic analysis found the app behaving less like a conventional VPN and more like an exit node for someone else's traffic, meaning a user who installed it in search of privacy may instead have handed their connection to a stranger.
That reach matters most for the audiences who rely on mainstream app marketplaces to vet what they install, a group that includes millions of everyday users across North America searching for free VPN and download tools. It also carries weight for fast-digitizing markets across the Gulf, where consumer trust in app stores and familiar software brands underpins a rapidly expanding online economy, and where regulators and enterprises alike have been pushing to close exactly the kind of visibility gap this research exposes.
The researchers also identified consistent technical fingerprints running underneath the different brands, including shared subdomain naming conventions, matching directory structures, and nearly identical application programming interfaces across services that presented themselves publicly as unrelated. That kind of engineering consistency is difficult to fake and hard to dismiss as coincidence, which is part of why Infoblox describes the discovery as evidence of one coordinated ecosystem rather than a string of independent campaigns.
Infoblox's researchers describe the pattern as a near match for tactics long seen in malicious online advertising, where scale comes from borrowing the credibility of trusted platforms rather than building new deception from scratch. That framing is what elevates this from a narrow malware story to a broader one. Multiple proxy provider disruptions have already taken place this year, yet operations like Lurking Lizard have continued to function, a sign that the criminal residential proxy market has built enough redundancy to absorb individual takedowns.
For the companies whose names and domains get quietly copied along the way, the research is also a reminder that brand impersonation has become a defensive category of its own, sitting somewhere between marketing, legal, and security teams that do not always talk to each other. Infoblox says it is continuing to track the actor's infrastructure and has published indicators publicly, an approach the company frames as proactive rather than purely defensive, aimed at giving other researchers and companies the visibility needed to catch the next lookalike domain before it accumulates years of borrowed trust.
How Outpost24's New CyberFlex Program Helps Security Teams Keep Pace With AI-Era Risk
How Palo Alto Networks, IBM and Red Hat Are Closing the Gap Between Hackers and Defenders
Cybercrime Now Runs on Subscriptions and Supply Chains, According to a New Global Threat Ranking
Related Articles