Fake Installers, Fake Reviews, Fake Services – Real Proxies, Real Victims
Infoblox Threat Intel identifies a threat actor tracked as 'Lurking Lizard' who operates a comprehensive malicious residential proxy ecosystem spanning victim device recruitment through trojanized software (fake 7-Zip, WireVPN), proxy service monetization via lookalike storefronts, and fake review sites for marketing. The actor controls 230+ domains and has been active since at least August 2022, with current operations centered on WireVPN-branded payloads that enroll victim devices as proxy exit nodes rather than functioning as legitimate VPN clients. A shared IPLogger telemetry beacon, consistent API structures, code signing certificate, and deployment patterns link multiple campaigns across several years to a single operator likely based in Wuhan, China.
- domain5stopvpn[.]netActor-controlled VPN lookalike domain
- domain7zip[.]cloudAdditional 7-Zip lookalike domain in actor's portfolio
- domain7zip[.]comFake 7-Zip installer distribution domain; drop-catch domain with historical legitimacy used to deliver trojanized proxyware
- domain911proxy[.]comLookalike domain impersonating 911Proxy service; actor-controlled proxy storefront
- domainabc[.]breakoursilence[.]comBenign-looking C2 host controlled by Lurking Lizard; WireVPN client establishes TLS connections to this domain during execution
- domainaff[.]9breakingnews[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainanyip[.]ioActor-controlled domain in proxy ecosystem portfolio
- domainapi[.]betflixfree[.]netShared API backend exposing same endpoints and schemas as WireVPN API domains
- domainapi[.]isharkvpn[.]comShared API backend exposing same endpoints and schemas as WireVPN API domains
- domainapi[.]snaptik[.]ioShared API backend exposing same endpoints and schemas as WireVPN API domains
- domainapiv3[.]wirevpn[.]appWireVPN API v3 endpoint observed in TLS traffic
- domainapiv4[.]wirevpn[.]appWireVPN API v4 endpoint observed in TLS traffic
- domainapi[.]wirevpn[.]appWireVPN API endpoint exposing /client_v1/config/http and /client_v1/version/server endpoints
- domainapi[.]wirevpn[.]ioWireVPN API endpoint sharing identical endpoints and schemas with other actor-controlled API domains
- domainapp[.]businesssy[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainaproxy[.]comActor-controlled domain in proxy ecosystem portfolio
- domainasock[.]comActor-controlled domain in proxy ecosystem portfolio
- domainbintangwarisanhotel[.]comActor-controlled domain sharing Google Analytics tracker G-2WHSTD0PXD with 7zip.com; registered under fake name 'Cheng Li'
- domainbin[.]visitbenin[.]orgBenign-looking C2 host controlled by Lurking Lizard; WireVPN client connects to this domain
- domaincate[.]norton-com-nu16[.]comBenign-looking C2 host impersonating Norton; controlled by Lurking Lizard
- domaincheckip[.]comActor-controlled IP checker domain in portfolio
- domaindn[.]equalmarriagefl[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domaindownloadfreetheme[.]netActor-controlled generic download domain
- domaindownloadpc[.]coActor-controlled generic download domain
- domainearn[.]ccActor-controlled domain in proxy ecosystem portfolio
- domainfoxphone[.]comActor-controlled domain in proxy ecosystem portfolio
- domaingo[.]chatwithsky[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainherosms[.]ioActor-controlled domain in proxy/SMS ecosystem portfolio
- domainherosms[.]orgLookalike domain impersonating HeroSMS virtual phone number service; actor-controlled
- domaininstallppi[.]coActor-controlled domain suggesting PPI (pay-per-install) operations
- domainip[.]ccActor-controlled domain in proxy ecosystem portfolio
- domainipchecker[.]orgActor-controlled 'IP address checker' tool domain
- domainipidea[.]orgLookalike domain impersonating IPIDEA proxy provider; actor-controlled proxy service storefront
- domainiproyal[.]ccLookalike domain impersonating IP Royal proxy service; actor-controlled
- domainishark[.]comActor-controlled domain in proxy/VPN ecosystem portfolio
- domainjs[.]dapr0n[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainprox[.]sarahsoriano[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainproxy[.]ccActor-controlled domain in proxy ecosystem portfolio
- domainproxyreviews[.]orgFake proxy service review site operated by Lurking Lizard to drive traffic to their own proxy storefronts
- domainreprack[.]orgActor-controlled domain in proxy ecosystem portfolio
- domainsmartproxy[.]aiAdditional SmartProxy lookalike domain in actor's portfolio
- domainsmartproxy[.]orgLookalike domain impersonating SmartProxy; actor-controlled proxy service storefront registered under fake name 'Cheng Li'
- domainsmshero[.]aiActor-controlled domain in proxy/SMS ecosystem portfolio
- domainsoft[.]prosoftwarestore[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domaintkproxy[.]coActor-controlled domain in proxy ecosystem portfolio
- domaintk[.]speedyshare[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainupdate[.]whtatsapp[.]netWhatsApp lookalike delivery domain active circa 2022; uses actor's 'update.' subdomain pattern
- domainupdate[.]wirevpn[.]appPayload delivery subdomain using actor's consistent 'update.' deployment pattern for distributing WireVPN payloads
- domainversion[.]spincityclub-official[.]comActor-controlled benign-looking domain observed in TLS SNI traffic
- domainvpnhelps[.]comActor-controlled VPN lookalike domain
- domainvpnkar[.]xyzActor-controlled VPN lookalike domain
- domainwirevpn[.]appPrimary WireVPN C2 and infrastructure domain; hosts API endpoints, payload delivery, and app support references
- domainwirevpn[.]ccWireVPN-controlled C2 domain; malware communicates with subdomains across this domain during execution
- domainwirevpn[.]ioWireVPN-controlled C2 domain; shares identical API endpoints and backend infrastructure with other WireVPN domains
- domainxcrawl[.]comActor-controlled domain in proxy ecosystem portfolio
Detection / Hunteropenrouter
What Happened
A cybercriminal group called 'Lurking Lizard' has been running a large-scale operation since at least 2022 that tricks people into installing fake versions of popular software like 7-Zip and VPN apps. Once installed, the software secretly turns the victim's device into a relay node for a proxy network, meaning other people's internet traffic flows through the victim's device and IP address. The group controls over 230 fake websites that impersonate legitimate software companies, proxy services, and even review sites to make their operation look credible. Their WireVPN app has been downloaded over a million times on Android alone. Anyone who installed these fake apps may be unknowingly routing strangers' traffic through their device, which could expose them to legal risk if that traffic is used for criminal activity. Users should verify they downloaded software from official sources, uninstall any suspicious VPN or archive tools, and run a security scan on affected devices.
Key Takeaways
- Threat actor 'Lurking Lizard' operates an end-to-end malicious residential proxy business spanning victim recruitment, proxy infrastructure, marketing, and monetization, with activity dating back to at least August 2022.
- The actor uses 230+ lookalike domains to impersonate legitimate software (7-Zip), VPN services, proxy providers (SmartProxy, IPIDEA, IP Royal, 911Proxy), and even operates fake review sites to drive traffic to their storefronts.
- A hardcoded IPLogger URL (iplogger.com/mnWD) served as a telemetry beacon across multiple campaigns and payloads, linking otherwise distinct operations including fake 7-Zip installers, video downloader malware, and WireVPN variants.
- WireVPN applications on Windows, iOS, and Android have achieved substantial reach (1M+ Android downloads) and function as proxy exit nodes rather than traditional VPN clients, forwarding third-party traffic through victim devices.
- Shared infrastructure fingerprints—including consistent API endpoints (/client_v1/config/http, /client_v1/version/server), deployment patterns (update.* subdomains, version directory structures), and code signing certificate (WEILAI NETWORK TECHNOLOGY CO., LIMITED)—link all campaigns to a single operator.
Affected Systems
- Windows (payloads installed to C:\Windows\SysWOW64)
- macOS (WireVPN installer offered for download)
- iOS (WireVPN App Store listing, App ID: 1615422104)
- Android (WireVPN Google Play listing, App ID: com.wirevpn.freevpn, 1M+ downloads)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Users directed to lookalike domains (7zip.com, wirevpn.app) via search results, forum posts, tutorial content, or app store listings to download trojanized installers
- Execution: Fake installers deploy payloads (hero.exe/uphero.exe or wire.exe/upwire.exe) to C:\Windows\SysWOW64\ with supporting libraries
- Persistence: Service-style execution model maintained through registry modifications; netsh creates firewall rules allowing binaries to communicate freely
- Discovery: WireVPN client issues ICMP echo requests to globally distributed IP addresses to assess proxy node latency and build selectable location list
- C2: Malware communicates with actor-controlled API endpoints (/client_v1/config/http, /client_v1/version/server) across multiple branded and benign-looking domains; IPLogger URL serves as telemetry beacon
- Impact: Victim device enrolled as residential proxy exit node; third-party traffic routed through victim's IP address; access sold via lookalike proxy storefronts (smartproxy.org, ipidea.org, 911proxy.com)
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It focuses on DNS and infrastructure analysis, WHOIS pivoting, and network traffic observation.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR would capture process creation (netsh firewall rule creation), file writes to SysWOW64, and service/registry modifications. However, payloads are signed with a valid code signing certificate, which may reduce suspicion. ICMP probing and TLS connections to benign-looking domains may blend with normal traffic. |
| Network Visibility | Medium | Network monitoring would observe ICMP echo requests to many global IPs and TLS connections to actor-controlled domains. However, the use of Cloudflare-hosted benign-looking domains and legitimate services (IPLogger) makes C2 traffic harder to distinguish from normal browsing. |
| Detection Difficulty | Moderate | The actor uses valid code signing, legitimate-looking domains, and benign services (IPLogger, Cloudflare) which reduce detection signal. However, consistent deployment patterns (update.* subdomains, /version/ directories, shared API endpoints), SysWOW64 installation paths, and netsh firewall rule creation provide actionable detection opportunities. |
Required Log Sources
- DNS resolution logs
- TLS SNI logs / network flow data
- Windows Event Logs (Service creation, process creation)
- File system monitoring for SysWOW64 writes
- Registry modification monitoring
- ICMP traffic logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes writing executables to C:\Windows\SysWOW64\ subdirectories with non-standard names, as the actor installs hero.exe and wire.exe to custom subdirectories under this path. | File system write events, process creation events with image paths under SysWOW64 | Execution / Persistence | Low — legitimate software rarely creates custom subdirectories in SysWOW64 for executables |
| Consider hunting for netsh.exe creating firewall rules that allow specific binaries in SysWOW64 to communicate inbound, as the actor uses this technique to ensure proxy traffic flows unimpeded. | Process creation events for netsh.exe with 'advfirewall firewall add rule' arguments, Windows Firewall rule creation logs | Persistence / Defense Evasion | Medium — some legitimate software creates firewall rules, but allowing custom SysWOW64 binaries is unusual |
| Consider hunting for DNS queries to domains using the actor's deployment pattern: 'update.' subdomains combined with '/version/' directory structures and Major.Minor.Build.Revision version patterns. | DNS query logs, HTTP request logs showing URL paths | C2 / Command and Control | Low to Medium — this specific combination of patterns is uncommon in legitimate software update mechanisms |
| Consider hunting for TLS connections to multiple benign-looking domains that resolve to shared backend IP addresses, particularly when the connecting process is installed in SysWOW64 and exhibits ICMP probing behavior. | TLS SNI logs, DNS resolution logs, network flow data, process network connection events | C2 / Proxy Operations | Medium — legitimate VPN clients also make multiple connections, but the combination with ICMP probing and benign-looking domain patterns is distinctive |
| Consider hunting for HTTP requests to iplogger.com paths from installed applications, as the actor uses this as a telemetry beacon across multiple campaigns. | HTTP proxy logs, DNS queries to iplogger.com, network flow data | Discovery / Telemetry Collection | Low — legitimate use of IPLogger from installed desktop applications is uncommon |
Control Gaps
- Valid code signing certificate (WEILAI NETWORK TECHNOLOGY CO., LIMITED) may bypass application allowlisting or SmartScreen warnings
- Cloudflare CDN hosting for benign-looking C2 domains may bypass IP-based blocking and some domain reputation systems
- Use of legitimate IPLogger service for telemetry may not trigger network security controls
- App store distribution channels (Google Play, Apple App Store) may bypass endpoint web filtering controls
- ICMP-based node discovery may not be logged or alerted on by all network monitoring tools
Key Behavioral Indicators
- Process writing executables to custom subdirectories under C:\Windows\SysWOW64\
- netsh.exe creating inbound firewall allow rules for binaries in SysWOW64
- Service creation with registry modifications pointing to SysWOW64\hero or SysWOW64\wire paths
- Process making ICMP echo requests to many globally distributed IPs shortly after launch
- TLS connections to multiple benign-looking domains that share backend infrastructure
- HTTP requests to iplogger.com from installed applications with no visible browser UI
- DNS queries to 'update.' subdomains of lookalike software/VPN domains
- API requests to /client_v1/config/http and /client_v1/version/server endpoints across multiple unrelated-looking domains
False Positive Assessment
Medium — The actor uses valid code signing certificates, legitimate services (IPLogger, Cloudflare), and benign-looking domain names that may blend with normal traffic. However, the specific combination of SysWOW64 installation paths, netsh firewall rule creation, ICMP probing patterns, and shared API endpoints across unrelated-looking domains provides distinctive detection signals with manageable false positive rates.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking known actor-controlled domains (7zip.com, wirevpn.app, wirevpn.cc, wirevpn.io, smartproxy.org, ipidea.org, proxyreviews.org) at DNS resolution and web proxy layers.
- Consider searching endpoint telemetry for the presence of hero.exe, uphero.exe, wire.exe, or upwire.exe in C:\Windows\SysWOW64\ subdirectories, as well as any executables signed by WEILAI NETWORK TECHNOLOGY CO., LIMITED.
- If your EDR supports it, consider hunting for netsh.exe creating firewall rules that allow binaries in SysWOW64 to communicate inbound, and evaluate whether any such rules exist on endpoints.
- Consider blocking or alerting on DNS queries to iplogger.com from non-browser processes, as this is used as a telemetry beacon across multiple campaigns.
Infrastructure Hardening
- Evaluate whether your DNS filtering can block lookalike domains that impersonate legitimate software and proxy services; consider adding the 230+ domains identified in this research to blocklists.
- If applicable, consider implementing TLS inspection for traffic to benign-looking domains that share backend infrastructure, as the actor uses Cloudflare-hosted lookalike domains for C2.
- Consider monitoring for ICMP echo request storms from individual endpoints, as WireVPN uses this technique to discover proxy nodes.
- Evaluate whether your application allowlisting would block executables signed by WEILAI NETWORK TECHNOLOGY CO., LIMITED, particularly those installed to SysWOW64.
User Protection
- Consider alerting users about the risks of downloading software from lookalike domains, particularly 7zip.com instead of 7-zip.org, and fake VPN services like WireVPN.
- If your organization manages mobile devices, consider blocking or removing the WireVPN app (Android: com.wirevpn.freevpn; iOS: App ID 1615422104) from managed devices.
- Consider deploying endpoint controls that alert on unsigned or newly-signed binaries creating services or firewall rules in SysWOW64.
- Evaluate whether your web filtering can block access to the actor's fake review site (proxyreviews.org) and lookalike proxy storefronts.
Security Awareness
- Consider incorporating guidance into existing awareness programs about verifying software download URLs, particularly for popular utilities like 7-Zip and VPN clients.
- Consider educating users that some free VPN applications may route third-party traffic through their device, potentially exposing them to legal risk.
- If applicable to your awareness program, consider highlighting that app store listings with high download counts and reviews are not guarantees of legitimacy.
- Consider reminding users to download software only from official vendor websites and to verify URLs carefully, as lookalike domains may have accumulated search engine legitimacy over time.
MITRE ATT&CK Mapping
Execution
Persistence
Defense Evasion
Command and Control
Additional IOCs
- Domains:
911proxy[.]com- Lookalike domain impersonating 911Proxy service; actor-controlled proxy storefrontiproyal[.]cc- Lookalike domain impersonating IP Royal proxy service; actor-controlledherosms[.]org- Lookalike domain impersonating HeroSMS virtual phone number service; actor-controlledipchecker[.]org- Actor-controlled 'IP address checker' tool domain7zip[.]cloud- Additional 7-Zip lookalike domain in actor's portfolioupdate[.]whtatsapp[.]net- WhatsApp lookalike delivery domain active circa 2022; uses actor's 'update.' subdomain patternbintangwarisanhotel[.]com- Actor-controlled domain sharing Google Analytics tracker G-2WHSTD0PXD with 7zip.com; registered under fake name 'Cheng Li'api[.]wirevpn[.]app- WireVPN API endpoint exposing /client_v1/config/http and /client_v1/version/server endpointsapi[.]wirevpn[.]io- WireVPN API endpoint sharing identical endpoints and schemas with other actor-controlled API domainsapi[.]betflixfree[.]net- Shared API backend exposing same endpoints and schemas as WireVPN API domainsapi[.]isharkvpn[.]com- Shared API backend exposing same endpoints and schemas as WireVPN API domainsapi[.]snaptik[.]io- Shared API backend exposing same endpoints and schemas as WireVPN API domainsbin[.]visitbenin[.]org- Benign-looking C2 host controlled by Lurking Lizard; WireVPN client connects to this domaincate[.]norton-com-nu16[.]com- Benign-looking C2 host impersonating Norton; controlled by Lurking Lizardapiv3[.]wirevpn[.]app- WireVPN API v3 endpoint observed in TLS trafficapiv4[.]wirevpn[.]app- WireVPN API v4 endpoint observed in TLS trafficjs[.]dapr0n[.]com- Actor-controlled benign-looking domain observed in TLS SNI traffictk[.]speedyshare[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficgo[.]chatwithsky[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficdn[.]equalmarriagefl[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficaff[.]9breakingnews[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficsoft[.]prosoftwarestore[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficapp[.]businesssy[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficprox[.]sarahsoriano[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficversion[.]spincityclub-official[.]com- Actor-controlled benign-looking domain observed in TLS SNI trafficsmartproxy[.]ai- Additional SmartProxy lookalike domain in actor's portfolioipidea[.]org- Already in priority_iocssmshero[.]ai- Actor-controlled domain in proxy/SMS ecosystem portfolioherosms[.]io- Actor-controlled domain in proxy/SMS ecosystem portfolioishark[.]com- Actor-controlled domain in proxy/VPN ecosystem portfolioanyip[.]io- Actor-controlled domain in proxy ecosystem portfolioproxy[.]cc- Actor-controlled domain in proxy ecosystem portfoliofoxphone[.]com- Actor-controlled domain in proxy ecosystem portfoliotkproxy[.]co- Actor-controlled domain in proxy ecosystem portfolioaproxy[.]com- Actor-controlled domain in proxy ecosystem portfolioxcrawl[.]com- Actor-controlled domain in proxy ecosystem portfolioasock[.]com- Actor-controlled domain in proxy ecosystem portfolioip[.]cc- Actor-controlled domain in proxy ecosystem portfoliocheckip[.]com- Actor-controlled IP checker domain in portfolioearn[.]cc- Actor-controlled domain in proxy ecosystem portfoliovpnhelps[.]com- Actor-controlled VPN lookalike domainvpnkar[.]xyz- Actor-controlled VPN lookalike domain5stopvpn[.]net- Actor-controlled VPN lookalike domaindownloadfreetheme[.]net- Actor-controlled generic download domaindownloadpc[.]co- Actor-controlled generic download domaininstallppi[.]co- Actor-controlled domain suggesting PPI (pay-per-install) operationsreprack[.]org- Actor-controlled domain in proxy ecosystem portfolio
- Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Services\hero- Service-style persistence registry key for 7-Zip campaign payload (hero.exe)HKLM\SYSTEM\CurrentControlSet\Services\wire- Service-style persistence registry key for WireVPN campaign payload (wire.exe)
- File Paths:
C:\Windows\SysWOW64\hero- Installation directory for 7-Zip campaign payloads (hero.exe, uphero.exe, supporting libraries)C:\Windows\SysWOW64\wire- Installation directory for WireVPN campaign payloads (wire.exe, upwire.exe, supporting libraries)
- Command Lines:
- Purpose: Creating firewall rules to allow proxy binaries to communicate unimpeded | Tools:
netsh.exe| Stage: Persistence / Defense Evasion |netsh advfirewall firewall add rule name=<name> dir=in action=allow program=
- Purpose: Creating firewall rules to allow proxy binaries to communicate unimpeded | Tools:
- Other:
G-2WHSTD0PXD- Google Analytics tracker code shared between 7zip.com and bintangwarisanhotel.com; links domains to same actorWEILAI NETWORK TECHNOLOGY CO., LIMITED- UK-registered entity used for code signing certificate on WireVPN Windows samples; also listed as iOS app developercom.wirevpn.freevpn- Android application package name for WireVPN on Google Play; 1M+ downloads1615422104- Apple App Store application ID for WireVPN iOS appCheng Li- Likely fake WHOIS registrant name linking 7zip.com to smartproxy.org and other actor-controlled domains; variants include Li Hao Cheng, Li Cheng Liang, Zhang Cheng Li[email protected]- Developer support email listed on Google Play for WireVPN Android app+86 (27)- WHOIS registrant phone country/area code placing the registrant in Wuhan, China