Infoblox research suggests bogus downloads, lookalike brands and fake reviews are helping build global supply chains for criminal internet traffic
DUBAI, UAE, July, 2026: Residential proxies are one of cybersecurity’s hottest topics, but many are not residential at all. Infoblox Threat Intel researchers traced what initially appeared to be an isolated malware campaign to a broader operation dating back several years. The actor, tracked as Lurking Lizard, is linked to more than 230 domains used to infect victim devices, operate proxy infrastructure, impersonate known proxy providers and market related services.
Lurking Lizard appears to be a Chinese actor who affiliates with other proxy providers to resell access to bandwidth from compromised residential proxies. External researchers previously identified overlap between infrastructure connected to Lurking Lizard and IPIDEA, a major proxy provider that was disrupted earlier this year by a coordinated industry and law enforcement action. While there have been multiple disruptions of proxy providers this year, the ability for threat actors like Lurking Lizard to continue operating the botnet devices demonstrates how hard it remains to dismantle the malicious residential proxy market.
The operation is vertically integrated, controlling several stages of acquisition, promotion and monetization. It builds new proxy nodes by distributing malware through lookalike domains tied to major software brands, then boosts those lures through search poisoning and online ads. One such campaign, impersonating 7-Zip, drew attention earlier this year, but this was only one visible piece of a much larger system. Infoblox Threat Intel also found that the actor sold access through lookalike domains posing as other commercial proxy services. By connecting those domains, the researchers were able to map the wider scope of the activity.
“What matters here is not one fake installer, but the business model behind it,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “When criminal services can scale by borrowing trust from consumer software, app stores and review sites, the risk moves beyond the security team. It becomes an operations, fraud and brand issue for every company online.”
Photo Caption:
- Dr. Renée Burton, VP of Infoblox Threat Intel
- Lurking Lizard Infographic
About Infoblox Threat Intel:
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox:
Infoblox is a leading platform for preemptive security and hybrid, multi-cloud networking that delivers enterprise resilience and agility. Trusted by over 5,700 customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit Infobl
