A threat actor known as Lurking Lizard has been linked to a large-scale malicious residential proxy operation built on more than 230 lookalike domains. According to Infoblox, the campaign, active since at least August 2022, uses fake software installers and fake websites to turn victims' devices into proxy nodes.
One campaign observed this year used a trojanized 7-Zip installer hosted on the fake domain 7zip[.]com. The group also impersonates well-known proxy providers, including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy. To increase credibility, the attackers operate fake review websites that promote their fraudulent proxy services. WHOIS records and infrastructure analysis suggest the operation is based in China.
Researchers found that the attackers use the drop-catching technique that involves registering expired domains with established reputations. They also exploit common typing mistakes, such as using 7zip[.]com instead of the legitimate 7-zip[.]org, to trick users into downloading malware.
Further analysis linked the same infrastructure to fake installers for WhatsApp, TikTok and YouTube downloader tools, WireVPN, and other software. The campaign also targets Android and macOS users as well.
Infoblox believes the operation runs as a two-stage business model. First, victims are infected through trojanized installers, mobile apps, and other lures, adding devices to a proxy botnet. The attackers then monetize the compromised network by selling residential proxy services through fake brands while using deceptive review sites to attract customers.