Network Security

WireVPN linked to long-running operation using victims’ devices as proxy network

Cyber Insider reports that a VPN service with over one million Android downloads, WireVPN, is allegedly part of a long-running operation that recruits victims' devices into a residential proxy network. This operation, tracked as Lurking Lizard, has been active since at least 2022 and extends beyond earlier campaigns involving malicious installers.

Infoblox researchers uncovered the operation after analyzing a malicious 7-Zip installer. They found over 230 related domains linked through various infrastructure indicators. The Windows version of WireVPN exhibited behavior consistent with a residential proxy service, communicating with numerous domains and potentially acting as exit nodes for third-party traffic. The malware employs techniques mirroring those used in the fake 7-Zip campaign, including persistence via registry modifications and system profiling. WireVPN is available on multiple platforms, with the Android app reporting over one million downloads on Google Play. A hardcoded IPLogger URL helped researchers link the current WireVPN infrastructure to earlier malware campaigns dating back nearly four years. The actor also operates lookalike domains impersonating legitimate proxy providers and runs fake review sites.

While WHOIS records suggest a Chinese threat actor, registration details can be falsified. The operation appears to control the entire residential proxy ecosystem, from device infection to selling access. Users are advised to download software only from official sources and verify domains before installing VPNs or utilities.

Source: Cyber Insider

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds