Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lurking Lizard ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 87
1 unique sources, 1 articles

Summary

Hide ▲

The Lurking Lizard operation has been exposed as a multi-stage residential proxy business, turning compromised devices into monetizable proxy nodes and widening unauthorized-traffic risk across home and enterprise networks. The ecosystem uses 230+ lookalike domains and impersonates brands such as IPIDEA, SmartProxy/Decodo, IP Royal, 911Proxy, and WireVPN to funnel users into scam storefronts. Its activity has been traced back to at least August 2022 and spans Android, macOS, and Windows.

Timeline

  1. 09.07.2026 07:01 1 articles · 19h ago

    Lurking Lizard residential proxy business uses 230+ lookalike domains

    Initial Disclosure

    Cybersecurity researchers disclosed a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using more than 230 lookalike domains, trojanized 7-Zip installers on 7zip[.]com, and impersonation of proxy brands including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy. Infoblox said the activity dates back to at least August 2022, and the same infrastructure also used fake review sites and other lures to recruit compromised devices as proxy nodes.

    Show sources