Security Researchers Link WireVPN to Alleged Residential Proxy Network

Kinyua Njeri (Sam Kin)  - Tech Expert
Last updated: July 9, 2026
Share
Researchers Link WireVPN to Alleged Residential Proxy Network
  • Researchers say a VPN service with more than one million Android downloads may secretly feed a residential proxy network.
  • The investigation connects WireVPN to fake software downloads, lookalike websites, and malware campaigns dating back to 2022.
  • Experts urge users to download software only from trusted sources and always check website addresses before installing anything.

Security researchers have linked a popular VPN service to a large operation that may have spent years turning people’s computers into residential proxy servers without their knowledge.

The investigation started with a fake version of the popular 7-Zip software. But as researchers dug deeper, they uncovered something much bigger. They found hundreds of connected websites, shared systems, and malware samples that all appeared to belong to the same operation.

Researchers now track the campaign under the name Lurking Lizard. They believe the group has been active since at least 2022. According to their findings, WireVPN is the latest public brand with a connection to the operation.

The team says the group controls nearly every part of the scheme. It spreads fake software, infects devices, and then sells access to those infected internet connections through a residential proxy network.

Researchers connect fake software campaign to WireVPN

The investigation began after researchers examined a fake installer distributed through the 7zip[.]com domain. The address looked almost identical to the real 7-Zip website. This is the typosquatting trick. It fools people into downloading software from the wrong website.

Fake websites are a global problem. Not too long ago, Operation Alice shut down 373,000 fake dark net sites in a coordinated international police crackdown.

Instead of finding one malware campaign, researchers uncovered a much larger network. Their investigation connected more than 230 domains using DNS records, WHOIS information, shared APIs, malware samples, and common backend systems. Those links pointed to a single operation that has continued growing for years.

Researchers also discovered a key clue hidden inside several malware samples. The malicious programs contained a hardcoded IPLogger address. That single piece of information helped investigators connect several older campaigns.

According to the researchers, the same infrastructure appeared in fake TikTok downloaders, fake YouTube downloaders, earlier VPN campaigns, and the current WireVPN operation. They believe these findings connect almost four years of activity under one group.

The researchers also noticed another worrying pattern. The people behind the operation created websites that looked like well-known proxy services. Some of those fake sites copied brands such as Smartproxy, IPIDEA, IPRoyal, and 911Proxy. The group also operated fake review websites that appeared designed to push visitors toward those services.The

Windows version shows signs of residential proxy activity

Researchers say WireVPN did not behave like a normal VPN during testing. A typical VPN creates one secure tunnel between a user’s device and a VPN server. WireVPN acted differently. Instead of communicating with one VPN server, the Windows software contacted many WireVPN-controlled domains along with several unrelated systems.

According to the researchers, the traffic pattern suggests that affected computers could become exit points for internet traffic belonging to other people. In simple terms, bad actors can rent out someone’s internet connection without their consent. The Windows software also performed several actions commonly seen in malware.

Researchers found that it installed files named wire.exe and upwire.exe inside the Windows system folders. It also created Windows firewall exceptions using netsh, changed Windows Registry settings to stay active after a reboot, collected system information, and checked whether security researchers were trying to examine it.

The team noted that these methods closely resemble those used in the earlier fake 7-Zip campaign. That earlier malware installed nearly identical files named hero.exe and uphero.exe, suggesting both campaigns may have come from the same developers.

It is available on Windows, macOS, Android, and iOS. The Windows version carries a valid code-signing certificate issued to WEILAI NETWORK TECHNOLOGY CO., LIMITED. Researchers also found that the same developer published an iPhone version. Meanwhile, the Android version appears under the publisher name WIRE LTD.

Google Play currently lists more than one million downloads and over 34,000 user reviews. However, the researchers explained they did not independently verify those numbers, and they did not analyze the Android or iPhone versions during this investigation.

Evidence Points to a Larger Operation

Researchers believe Lurking Lizard does much more than spread malware. According to their findings, the group appears to control the entire residential proxy business. It infects devices first. Then it uses those systems as proxy servers before selling access to customers.

The investigation also uncovered WHOIS registration records connected to several domains. Some of those records included different versions of the name “Cheng Li” along with contact details pointing to Wuhan, China. However, the researchers stressed that bad actors can easily fake domain registration records. They said those details alone do not prove who is responsible.

Instead, they reached their assessment after combining the registration records with the shared infrastructure, malware similarities, domain connections, and technical evidence gathered during the investigation. Based on all those findings together, the researchers believe the operation is likely run by a Chinese threat actor.

The researchers also offered simple advice for staying safe. They recommend downloading VPNs, utilities, and other software only from official websites. Users should also check website addresses carefully before installing anything, since attackers often register domains that closely resemble legitimate ones.

According to the researchers, a single wrong download can give attackers control over a device. That device may then become part of a much larger network without the owner’s knowledge. All these are all the recommendations our cybersecurity experts at PrivacySavvy keep making every single day of the year.

The WireVPN findings also serve as another reminder that software promising privacy is not always trustworthy. Even security tools deserve careful checks before installation. Downloading programs from official sources remains one of the easiest ways to avoid becoming part of hidden cybercriminal operations.

Share this article

About the Author

Kinyua Njeri is a journalist, blogger, and freelance writer. He’s a technology geek but mainly an internet privacy and freedom advocate. He has an unquenchable nose for news and loves sharing useful information with his readers. When not writing, Kinyua plays and coaches handball. He loves his pets!

More from Kinyua Njeri (Sam Kin)

Comments

No comments.