Cyber Insider reports that a VPN service with over one million Android downloads, WireVPN, is allegedly part of a long-running operation that recruits victims' devices into a residential proxy network. This operation, tracked as Lurking Lizard, has been active since at least 2022 and extends beyond earlier campaigns involving malicious installers.Infoblox researchers uncovered the operation after analyzing a malicious 7-Zip installer. They found over 230 related domains linked through various infrastructure indicators. The Windows version of WireVPN exhibited behavior consistent with a residential proxy service, communicating with numerous domains and potentially acting as exit nodes for third-party traffic. The malware employs techniques mirroring those used in the fake 7-Zip campaign, including persistence via registry modifications and system profiling. WireVPN is available on multiple platforms, with the Android app reporting over one million downloads on Google Play. A hardcoded IPLogger URL helped researchers link the current WireVPN infrastructure to earlier malware campaigns dating back nearly four years. The actor also operates lookalike domains impersonating legitimate proxy providers and runs fake review sites.While WHOIS records suggest a Chinese threat actor, registration details can be falsified. The operation appears to control the entire residential proxy ecosystem, from device infection to selling access. Users are advised to download software only from official sources and verify domains before installing VPNs or utilities.Source: Cyber Insider
Network Security
WireVPN linked to long-running operation using victims’ devices as proxy network

An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



