Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes
A newly uncovered cybercriminal operation has been quietly turning ordinary computers into paid proxy servers for years, hiding behind a fake version of the popular 7-Zip file compression tool. Victim

A newly uncovered cybercriminal operation has been quietly turning ordinary computers into paid proxy servers for years, hiding behind a fake version of the popular 7-Zip file compression tool. Victims searching for the free archiving software were instead led to a lookalike site that installed hidden proxy software instead of the real program. Once running, […] The post Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes appeared first on Cyber Security News.
A newly uncovered cybercriminal operation has been quietly turning ordinary computers into paid proxy servers for years, hiding behind a fake version of the popular 7-Zip file compression tool. Victims searching for the free archiving software were instead led to a lookalike site that installed hidden proxy software instead of the real program. Once running, the malware quietly rented out the victim’s internet connection to paying customers without their knowledge or consent. The campaign first drew attention in early 2026 when the fake installer was found hosted at 7zip[.]com rather than the genuine site, 7-zip[.]org. What looked like an isolated scam turned out to be part of a much larger and longer running scheme. Researchers traced the activity back to at least August 2022, revealing a coordinated network built around dozens of fake software brands. Analysts from Infoblox identified the group behind this activity and gave it the name Lurking Lizard. Infoblox said in a report shared with Cyber Security News (CSN) that the actor operates a complete, end to end proxy business, from tricking users into installing malware to reselling their bandwidth through fake proxy service storefronts. The company’s threat intelligence team linked the operation using domain records, shared code, and tracking artifacts buried inside the malware itself. The scale of the discovery is what makes it notable. Infoblox found more than 230 domains connected to the same actor, covering fake VPN apps, fake download tools, and even fake proxy provider websites designed to look independent. Evidence points to the operator being based in China, based on domain registration details and a recurring registrant name. Instead of stopping after being exposed, the group appears to have simply rebranded and kept going under a new name. Lurking Lizard Uses Fake 7-Zip Installers The fake 7-Zip campaign relied on a trick called drop-catching, where an expired domain is bought up specifically to inherit its old search engine reputation. In this case, the domain 7zip[.]com had been mistakenly referenced in online forums for years, giving it accidental credibility long before the attackers acquired it. Screenshot of Google search results showing historical mentions of 7zip[.]com (Source – Infoblox) Investigators identified at least seven similar drop-catch domains tied to the same actor, some registered as far back as 2004. A key clue that connected the campaign to a wider network was a hardcoded IPLogger tracking link buried inside the malware samples. This single link tied the 7-Zip installers to other unrelated looking lures, including fake TikTok and YouTube downloader tools and, more recently, a fake VPN app called WireVPN. Infoblox noted that shared WHOIS registrant names, matching tracker codes, and identical backend server structures across dozens of domains made the connection difficult to dismiss as coincidence. WireVPN and Ongoing Risk The fake 7-Zip operation has since evolved into a new disguise called WireVPN, available on both the Apple App Store and Google Play with reported downloads exceeding one million on Android alone. Testing showed that instead of behaving like a real VPN, the app pinged large numbers of unrelated IP addresses and opened multiple simultaneous connections, a pattern consistent with acting as an exit point for someone else’s internet traffic rather than protecting the user’s own. High-level overview of the Lurking Lizard residential proxy ecosystem (Source – Infoblox) Infoblox recommends that users avoid downloading software from unofficial or search-suggested links and instead verify official domains before installing any archive or VPN tool. High-level overview of the Lurking Lizard residential proxy ecosystem (Source – Infoblox) The company also advises checking app publisher details carefully, since Lurking Lizard’s apps carried valid looking code signing certificates from registered companies. Security teams are encouraged to monitor for the specific file names, domains, and network behaviors tied to this actor to catch infections early. This case is a reminder that a program simply working as expected is not proof it is safe. Millions of people may be unknowingly renting out their bandwidth to criminal proxy networks through apps they trusted for privacy protection. Indicators of Compromise (IoCs):- TypeIndicatorDescriptionDomain7zip[.]comFake 7-Zip installer distribution site Domainbintangwarisanhotel[.]comActor-controlled domain sharing tracker code with 7zip[.]com Domainsmartproxy[.]orgLookalike domain impersonating Smartproxy Domainipidea[.]orgLookalike domain impersonating IPIDEA proxy provider Domainproxyreviews[.]orgFake independent proxy review site Domainupdate.whtatsapp[.]netWhatsApp lookalike payload delivery domain Domainupdate.wirevpn[.]appWireVPN payload delivery subdomain Domainapi.betflixfree[.]netShared backend API domain Domainapi.isharkvpn[.]comShared backend API domain Domainapi.snaptik[.]ioShared backend API domain Domainapi.wirevpn[.]appShared backend API domain Domainapi.wirevpn[.]ioShared backend API domain Domainwirevpn[.]appWireVPN branded C2/traffic domain Domainwirevpn[.]ccWireVPN branded C2/traffic domain Domainwirevpn[.]ioWireVPN branded C2/traffic domain Domainabc.breakoursilence[.]comBenign-looking traffic forwarding host Domainbin.visitbenin[.]orgBenign-looking traffic forwarding host Domaincate.norton-com-nu16[.]comBenign-looking traffic forwarding host Domain911proxy[.]comLookalike proxy service storefront URLhxxps://iplogger[.]com/mnWDHardcoded telemetry beacon linking campaigns Filehero.exePrimary payload in original 7-Zip campaign Fileuphero.exeService manager/update loader component Filewire.exePrimary payload in WireVPN campaign Fileupwire.exeService manager/update loader component Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams. The post Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


