Executive Summary
Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device’s bandwidth to their own customers. Those companies—proxy providers—often have affiliate programs where they pay for installation of the software. Sound familiar? It’s the same model as the advertising networks we often write about. Residential proxies are yet another tangled ecosystem full of buyers and sellers, with players in every shade of grey. This blog tells the story of a bad actor who operates an end-to-end malicious proxy business grounded in a collection of clever lookalike domains.

Our discovery started with a single campaign: In early 2026, the actor, who we track as Lurking Lizard, fooled users into downloading a fake version of the 7-Zip archive utility. Once installed, the device was enrolled as a proxy node to be rented to residential proxy services. This malware, or proxyware, was hosted at 7zip[.]com instead of the real site, 7-zip[.]org. At the time, reporting treated these installers as part of a one-off malware campaign; however, we linked this activity to operations dating back to at least August 2022.
The threat actor uses trojanized software to recruit victim machines as residential proxy nodes, providing just enough functionality to appear legitimate and keep users from uninstalling it. Lookalike domains not only impersonate popular software like 7-Zip, but also several popular VPNs and services like HeroSMS, which provide access to banks of virtual phone numbers. Naturally, the actor has several generic “download” domains in their portfolio. And what could go wrong with their “IP address checker” domains?
Lurking Lizard even impersonates proxy services, including IPIDEA, SmartProxy, IP Royal, and 911Proxy. These lookalikes are so good, they even fooled us for a while! Take one example: smartproxy[.]org, which offers budget access to 100M residential IP addresses. Here’s the kicker: that domain belongs to Lurking Lizard, not Smartproxy. In April, researchers found that smartproxy[.]org’s roughly 2 million active IPV4 addresses overlapped heavily with IPIDEA’s network, a major Chinese proxy provider that Google targeted with legal action in early 2026. The researchers concluded that IPIDEA was a supplier for smartproxy[.]org, either directly or indirectly. We wonder if IPIDEA knows the actor also owns ipidea[.]org?
This actor is fully committed to the residential proxy economy. Not only do they seemingly buy and sell access to nodes, but they also have domains that appear set up to host “independent” websites for proxy service reviews, including proxyreviews[.]org. We have seen the practice of self-promotion used many times in the affiliate advertising economy to drive more traffic to the website owner’s scams. This is why we use the term “end-to-end malicious proxy business:” Lurking Lizard has a portfolio of domains that serve it all.
In total, through DNS and infrastructure analysis, we found more than 230 domains, revealing a larger, structured operation rather than isolated malware infrastructure. Information discovered through domain registration data and related apps indicate that the actor is likely Chinese. A hardcoded IPLogger URL embedded within multiple samples enabled us to link otherwise distinct campaigns and payloads across several years, including video downloader malware and more recent WireVPN-themed variants. In parallel, shared infrastructure fingerprints, such as consistent deployment patterns, API structures, and hosting behavior, provide strong evidence of a single actor operating across multiple lures and brands.
We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising. There’s an obvious story: Your TV may be part of a giant botnet conducting attacks across the internet. But the real story is far more complex, and solutions are still elusive.
The 7-Zip Lure Was the Tip of the Iceberg
So how did we uncover the actor? Using a small set of published domains, we pulled on the DNS thread and pivoted across several malware samples to reveal that the campaign was significantly larger than initially reported. Rather than re-analyzing the 7-Zip lure itself, our investigation focused on what sits behind it. Specifically, we were keen to determine what other domains were actor-controlled, whether WHOIS and registrant information could reveal the culpable actor, whether the activity predated or extended beyond the initial campaign, and whether alternative lures and payloads were being used to achieve the same goal.
This approach ultimately led us to the conclusion that the fake 7-Zip activity was one of several distribution mechanisms used by the same actor in a broader and more established operation.
From WHOIS to Drop-Catch
Our first useful pivot was WHOIS. A registrant name, “Cheng Li,” linked the 7-Zip malware domain to a cluster of lookalike proxy service domains, revealing that the same actor controlled both the malware delivery infrastructure and the impersonated storefronts layered above it.
The published malware domain 7zip[.]com shares a tracker code (G-2WHSTD0PXD) with bintangwarisanhotel[.]com, a domain we assessed as actor-controlled and using the likely fake registrant name, Cheng Li, in its WHOIS record. This name also appears as the registrant for smartproxy[.]org, the domain impersonating Smartproxy. Indeed, Decodo, the owner of the real Smartproxy domain, smartproxy[.]com, also called out the domain squatter publicly.
The registrant name similarities don’t stop there, with shuffled variants of Cheng Li observed across multiple related domain registrations including: Li Hao Cheng, Li Cheng Liang, and Zhang Cheng Li. Their registrant emails also include further variants including Li Qiang. WHOIS also surfaced a registrant contact phone number whose country code and area code, +86 (27), place the registrant in Wuhan, China, if the details are correct.
The fake 7-Zip domain had an unusual advantage rooted in a practice known as drop-catching: acquiring a domain when it expires to inherit its accumulated history and legitimacy (which should not be confused with the legitimate service “DropCatch”). In this case, the correct domain (7-zip[.]org) had been misquoted in forum posts for years (Figure 1), meaning the incorrectly referenced version (7zip[.]com) already had organic legitimacy before the actor gained ownership. A domain with a decade of search engine history is worth far more than one registered yesterday. We identified at least seven drop-catch domains acquired by Lurking Lizard, with registration dates as early as 2004.

Figure 1: Screenshot of Google search results showing historical mentions of 7zip[.]com, lending the domain perceived legitimacy
The lookalike domains we discovered through infrastructure pivoting made it clear: this actor was dedicated to proxies and lookalike domains, but what were they doing with the proxy nodes?
IPLogger: The Thread That Unraveled It
One of the most useful early pivots came from what initially looked like a minor artifact, a hardcoded IPLogger URL found within samples associated with the 7-Zip campaign:
hxxps://iplogger[.]com/mnWD
At face value, IPLogger is a legitimate service that can be abused by threat actors and offers various services including URL shortening and visitor tracking. In this instance, the URL is consistent with their “informer” service and is typically used to show a visitor’s IP address on a website. Behind the scenes, this service logs visitor metadata including access timestamp, visitor IP, geolocation, device type/browser, referrer, and user agent (Figure 2).

Figure 2: Screenshot of an IPLogger log example
While this tracking URL would typically be embedded as an image within a webpage, the actor appears to be requesting it directly from their payloads with no visible output to the user. As such, it acts as a telemetry beacon that provides the threat actor with useful victim information and allows them to use a legitimate third-party service rather than maintaining their own dedicated tracking infrastructure.
Pivoting on this specific URL and the “/mnWD” identifier proved to be especially valuable. The same infrastructure underpinned multiple payloads dating back to at least 2022: the fake 7-Zip installer, tools falsely claiming TikTok and YouTube download capabilities, and both early and recent WireVPN-branded samples.
Taken together, this provides a strong link between otherwise distinct payloads and time periods, reinforcing that the fake 7-Zip campaign formed part of a broader and well-established ecosystem for acquiring victims.
Infrastructure Fingerprints
IPLogger was not the only linkage between these seemingly distinct campaigns and associated domains. We observed consistent deployment patterns across multiple lures and time periods, providing further evidence that they are associated with Lurking Lizard. For example:
- Payloads delivered via “update.” subdomains
- Directory structures typically including “/version/” and the use of the “Major.Minor.Build.Revision” version pattern (e.g. 1.0.1.5)
- Direct access to these hosts exposing storage bucket-style XML responses
Using these deployment patterns, we identified additional lure domains beyond those reported in the fake 7-Zip campaign, including the WhatsApp lookalike update.whtatsapp[.]net, active in or around 2022, and more recently the WireVPN domain update.wirevpn[.]app.
Reinforcing these findings, several domains associated with the activity implemented remarkably similar APIs, including api.betflixfree[.]net, api.isharkvpn[.]com, api.snaptik[.]io, api.wirevpn[.]app, and api.wirevpn[.]io. Despite presenting themselves as unrelated services, these hosts exposed the same endpoints, including /client_v1/config/http and /client_v1/version/server, along with near-identical schemas, fixed response codes and consistent data structures.
This level of application-layer consistency is unlikely to be coincidental, especially when considered alongside our other findings.
We identified additional supporting links at the DNS level, with registration behaviors, hosting providers, and overlapping DNS records consistently revealing clusters of domains associated with this activity.
Taken together, these findings suggest we are not looking at a series of independent campaigns. We are looking at the repeated reuse of the same infrastructure, deployment workflow, and backend services across multiple brands and lures. The pattern stretches back to at least 2022 and continues to appear in current WireVPN-related activity.
WireVPN: The Current Face
Based on the pivots and infrastructure correlations identified earlier, the fake 7-Zip campaign has not ceased but evolved, adopting WireVPN branding.
Even a high-level comparison of these new samples against earlier ones reveals clear continuity in tradecraft, particularly in the way their Windows-based payloads are structured and deployed. In the original 7-Zip campaign, the primary payload is named “hero.exe,” alongside a service manager and update loader component named “uphero.exe,” both of which are installed to “C:\Windows\SysWOW64\hero” alongside supporting libraries. In the more recent samples, similar executable files named “wire.exe” and “upwire.exe” are installed to “C:\Windows\SysWOW64\wire,” a straightforward renaming to align with the current campaign while retaining the same underlying functionality.
Furthermore, both exhibit the same approach to system modification and payload execution. In each case, the Windows command-line networking utility “netsh” is used to create explicit firewall rules allowing their respective binaries (such as “hero” and “wire”) to communicate with the internet unimpeded. This is supported by a shared service-style execution model, where persistence is maintained through consistent registry modifications across both variants.
Taken together, the similarities, including consistent system profiling, location checks, and anti-debugging behavior point to a shared codebase, or at a minimum, a common development model.
During execution, we observed the newer WireVPN samples communicating with multiple subdomains across WireVPN-controlled domains, including wirevpn[.]app, wirevpn[.]cc, and wirevpn[.]io. As detailed earlier, the endpoints responding on these domains exhibit similar behavior to those on other branded domains and continue to point toward consistent or shared infrastructure.
In addition, the malware initiated connections to several intentionally varied and benign-looking hosts, including domains such as abc.breakoursilence[.]com, bin.visitbenin[.]org, and cate.norton-com-nu16[.]com, among others. Many consistently resolve to shared backend infrastructure, typically either to the same IP addresses or within the same network ranges.
App Reach
WireVPN maintains a website offering macOS and Windows installers and links directly to its Apple App Store and Google Play listings.
Across platforms, these applications share consistent developer attribution and infrastructure. The Windows samples were signed with a valid code signing certificate issued to WEILAI NETWORK TECHNOLOGY CO., LIMITED, a UK-registered entity (Figure 3).

Figure 3: Screenshot of the User Account Control prompt for WireVPN on Windows, showing the “verified publisher”
Weilai is also listed as the developer of the iOS application “WireVPN – Fast VPN & Proxy” (App ID: 1615422104), (Figure 4), which specifically references the domain wirevpn[.]app as part of its support infrastructure.

Figure 4: Screenshot of WireVPN’s listing on the Apple App Store
The Android application, “wirevpn – Fast Unlimited Proxy” (App ID: com.wirevpn.freevpn), (Figure 5), is published under a different entity, WIRE LTD, but similarly references the wirevpn[.]app domain within its published application details. The overlap in developer naming, branding, and infrastructure points to a single operator across platforms, not a collection of unrelated applications.

Figure 5: Screenshot of WireVPN’s listing on Google Play
Publicly available metrics point to these applications having achieved substantial reach. At the time of writing, the Android application listed on Google Play reports more than 1 million downloads and over 34 thousand reviews. While we cannot independently verify these figures, and they may not directly reflect ongoing or real-world usage, they nonetheless suggest that a significant number of users have been exposed to the broader WireVPN ecosystem.
Our analysis focused on Windows samples; we did not analyze the mobile applications and cannot determine whether they share the same underlying functionality or primarily direct users toward desktop installations.
In the original 7-Zip campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains. Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel. Users seeking privacy or circumvention tools via app marketplaces may not realize these applications don’t always function as conventional VPN clients. As we’ll explore below, observed behavior in related samples raises the possibility that participating systems contribute to a broader proxy network rather than functioning as traditional VPN endpoints.
Traffic Forwarding Behavior
To assess whether WireVPN functions as a legitimate VPN client, we captured and analyzed its network activity. The behavior differed from what a standard VPN provider might exhibit in several notable ways.
Shortly after launch, the client issued ICMP echo (ping) requests to many globally distributed IP addresses (Figure 6).

Figure 6: Screenshot showing ICMP echo (ping) responses from numerous hosts observed during initial execution of the WireVPN client
Responses from these hosts appeared to influence the list of selectable locations presented to the user. While VPN clients commonly use latency measurements to optimize server selection, the scale and diversity of the probes suggested interaction with a broad and dynamic pool of nodes.
The client also established connections to both WireVPN-branded and the previously discussed benign-looking hosts (Figure 7), further demonstrating that these domains remained an active component of the broader infrastructure.

Figure 7: Screenshot showing TLS connections to multiple WireVPN-branded and other benign-looking hosts; all these domains are controlled by Lurking Lizard
Rather than forming a single stable tunnel to a fixed endpoint, as would be expected of a VPN application, it appears to make multiple concurrent connections across these hosts. As discussed earlier, these domains exhibit strong infrastructure linkage through DNS records, hosting patterns, and shared backend systems, supporting the assessment that they are all controlled by Lurking Lizard.
The traffic patterns do not match what a VPN client produces: WireVPN looks less like a privacy tool and more like an exit node for third-party traffic.
In practical terms, this could allow affected systems to function as exit nodes, with external traffic originating from the host’s IP address. Further analysis is needed to fully characterize this behavior, but it points to participation in a distributed proxy network rather than a traditional VPN service.
Pulling It All Together
The individual components described throughout this research may initially appear unrelated. However, when viewed as a whole, they reveal a coordinated ecosystem that spans victim acquisition, proxy infrastructure, marketing and monetization (Figure 8).

Figure 8: High-level overview of the Lurking Lizard residential proxy ecosystem
Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy pool. That pool is then monetized through lookalike proxy service brands, while fake review sites help drive traffic to the actor’s storefronts. Supporting evidence, such as our DNS findings and the IPLogger telemetry, links activity across multiple campaigns, time periods and infrastructure.
Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network. The fake 7-Zip campaign was simply the most visible manifestation of an otherwise much longer-running operation.
We asked Ben Brundage of Synthient for his take on the relationship between Lurking Lizard and IPIDEA that was exposed earlier this year by Proxyware. He said,
“Commercial proxy services like IPIDEA scale their pools by acquiring IPs not only from publishers but also from resellers willing to sell them bandwidth. This business model is similarly adopted by smaller actors like “Lurking Lizard,” whose proxy services, such as 911proxy[.]com and smartproxy[.]org combine their own pool of compromised devices with a larger upstream provider like Kookeey or IPIDEA. This approach allows them to offer a profitable “unlimited pool” and reduce potential downtime. The broader distribution chain of backdoored apps reveals the common structure that providers or publishers use to acquire large swaths of IP space from victims, in which consent is explicitly omitted.”
This is a near perfect analogy to how malicious players in the affiliate advertising world interoperate to fuel the scourge of scams and malware. The model maximizes damage while minimizing accountability.

