
A VPN service with more than one million Android downloads is at the center of a long-running operation that allegedly recruits victims' devices into a residential proxy network.
The Infoblox investigation began after researchers analyzed the infrastructure behind a malicious installer distributed through the typosquatted 7zip[.]com domain. Instead of finding a single malware campaign, they uncovered more than 230 related domains linked through DNS records, WHOIS data, shared APIs, malware artifacts, and backend infrastructure.
The operation, tracked as Lurking Lizard, has been active since at least 2022 and extends far beyond the fake 7-Zip installer campaign reported earlier this year.
Researchers now believe WireVPN represents the latest public-facing brand used by the operation.

Unlike a conventional VPN client, the Windows application exhibited behavior consistent with a residential proxy service. During testing, it communicated with numerous WireVPN-controlled domains and other seemingly unrelated hosts instead of establishing a single VPN tunnel. The researchers say the traffic suggests infected systems may act as exit nodes for third-party traffic, effectively renting out victims' internet connections.
The current Windows samples install executables named wire.exe and upwire.exe in C:\Windows\SysWOW64\wire, create firewall exceptions with netsh, establish persistence via Windows registry modifications, and perform system profiling and anti-debugging checks. Researchers found that these techniques closely mirror those used in the earlier fake 7-Zip campaign, in which the malware installed nearly identical components named hero.exe and uphero.exe.
WireVPN is available for Windows, macOS, Android, and iOS. The Windows version is signed with a valid code-signing certificate issued to WEILAI NETWORK TECHNOLOGY CO., LIMITED, while the iOS app is published under the same developer. The Android application, published under WIRE LTD, currently reports more than 1 million downloads and 34,000+ reviews on Google Play, although the researchers did not verify those figures or analyze the mobile apps themselves.

A key breakthrough came from a hardcoded IPLogger URL embedded in multiple malware samples. By pivoting from that single artifact, researchers linked the fake 7-Zip installer to older malware posing as TikTok and YouTube downloaders, earlier VPN-themed campaigns, and the current WireVPN infrastructure, connecting activity spanning nearly four years.
In addition to distributing trojanized software, the actor operates lookalike domains that impersonate well-known proxy providers, including Smartproxy, IPIDEA, IPRoyal, and 911Proxy, as well as fake review sites designed to steer users toward those services.

WHOIS records associated with several domains contained variations of the registrant name “Cheng Li” and contact information pointing to Wuhan, China, although the researchers note such registration details can be falsified. Combined with infrastructure analysis and malware similarities, these findings indicate the operation is likely run by a Chinese threat actor.
The researchers conclude that Lurking Lizard controls multiple stages of the residential proxy ecosystem, from infecting devices through fake software and VPN installers to marketing and selling access to the resulting proxy network. They recommend downloading software only from official sources and carefully verifying domains before installing VPNs, utilities, or other security-related applications.







Leave a Reply