Lurking Lizard ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Lurking Lizard operation has been exposed as a multi-stage residential proxy business, turning compromised devices into monetizable proxy nodes and widening unauthorized-traffic risk across home and enterprise networks. The ecosystem uses 230+ lookalike domains and impersonates brands such as IPIDEA, SmartProxy/Decodo, IP Royal, 911Proxy, and WireVPN to funnel users into scam storefronts. Its activity has been traced back to at least August 2022 and spans Android, macOS, and Windows.
Timeline
-
09.07.2026 07:01 1 articles · 19h ago
Lurking Lizard residential proxy business uses 230+ lookalike domains
Initial DisclosureCybersecurity researchers disclosed a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using more than 230 lookalike domains, trojanized 7-Zip installers on 7zip[.]com, and impersonation of proxy brands including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy. Infoblox said the activity dates back to at least August 2022, and the same infrastructure also used fake review sites and other lures to recruit compromised devices as proxy nodes.
Show sources
- Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes — thehackernews.com — 09.07.2026 07:01