Infoblox Threat Intel identifies a threat actor tracked as 'Lurking Lizard' who operates a comprehensive malicious residential proxy ecosystem spanning victim device recruitment through trojanized software (fake 7-Zip, WireVPN), proxy service monetization via lookalike storefronts, and fake review sites for marketing. The actor controls 230+ domains and has been active since at least August 2022, with current operations centered on WireVPN-branded payloads that enroll victim devices as proxy exit nodes rather than functioning as legitimate VPN clients. A shared IPLogger telemetry beacon, consistent API structures, code signing certificate, and deployment patterns link multiple campaigns across several years to a single operator likely based in Wuhan, China.