Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly uncovered cybercriminal operation has been quietly turning ordinary computers into paid proxy servers for years, hiding behind a fake version of the popular 7-Zip file compression tool.

Victims searching for the free archiving software were instead led to a lookalike site that installed hidden proxy software instead of the real program.

Once running, the malware quietly rented out the victim’s internet connection to paying customers without their knowledge or consent.

The campaign first drew attention in early 2026 when the fake installer was found hosted at 7zip[.]com rather than the genuine site, 7-zip[.]org.

What looked like an isolated scam turned out to be part of a much larger and longer running scheme. Researchers traced the activity back to at least August 2022, revealing a coordinated network built around dozens of fake software brands.

Analysts from Infoblox identified the group behind this activity and gave it the name Lurking Lizard.

Infoblox said in a report shared with Cyber Security News (CSN) that the actor operates a complete, end to end proxy business, from tricking users into installing malware to reselling their bandwidth through fake proxy service storefronts.

The company’s threat intelligence team linked the operation using domain records, shared code, and tracking artifacts buried inside the malware itself.

The scale of the discovery is what makes it notable. Infoblox found more than 230 domains connected to the same actor, covering fake VPN apps, fake download tools, and even fake proxy provider websites designed to look independent.

Evidence points to the operator being based in China, based on domain registration details and a recurring registrant name.

Instead of stopping after being exposed, the group appears to have simply rebranded and kept going under a new name.

Lurking Lizard Uses Fake 7-Zip Installers

The fake 7-Zip campaign relied on a trick called drop-catching, where an expired domain is bought up specifically to inherit its old search engine reputation.

In this case, the domain 7zip[.]com had been mistakenly referenced in online forums for years, giving it accidental credibility long before the attackers acquired it.

Screenshot of Google search results showing historical mentions of 7zip[.]com (Source - Infoblox)
Screenshot of Google search results showing historical mentions of 7zip[.]com (Source – Infoblox)

Investigators identified at least seven similar drop-catch domains tied to the same actor, some registered as far back as 2004.

A key clue that connected the campaign to a wider network was a hardcoded IPLogger tracking link buried inside the malware samples.

This single link tied the 7-Zip installers to other unrelated looking lures, including fake TikTok and YouTube downloader tools and, more recently, a fake VPN app called WireVPN.

Infoblox noted that shared WHOIS registrant names, matching tracker codes, and identical backend server structures across dozens of domains made the connection difficult to dismiss as coincidence.

WireVPN and Ongoing Risk

The fake 7-Zip operation has since evolved into a new disguise called WireVPN, available on both the Apple App Store and Google Play with reported downloads exceeding one million on Android alone.

Testing showed that instead of behaving like a real VPN, the app pinged large numbers of unrelated IP addresses and opened multiple simultaneous connections, a pattern consistent with acting as an exit point for someone else’s internet traffic rather than protecting the user’s own.

High-level overview of the Lurking Lizard residential proxy ecosystem (Source - Infoblox)
High-level overview of the Lurking Lizard residential proxy ecosystem (Source – Infoblox)

Infoblox recommends that users avoid downloading software from unofficial or search-suggested links and instead verify official domains before installing any archive or VPN tool.

High-level overview of the Lurking Lizard residential proxy ecosystem (Source - Infoblox)
High-level overview of the Lurking Lizard residential proxy ecosystem (Source – Infoblox)

The company also advises checking app publisher details carefully, since Lurking Lizard’s apps carried valid looking code signing certificates from registered companies.

Security teams are encouraged to monitor for the specific file names, domains, and network behaviors tied to this actor to catch infections early.

This case is a reminder that a program simply working as expected is not proof it is safe. Millions of people may be unknowingly renting out their bandwidth to criminal proxy networks through apps they trusted for privacy protection.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain 7zip[.]com Fake 7-Zip installer distribution site 
Domain bintangwarisanhotel[.]com Actor-controlled domain sharing tracker code with 7zip[.]com 
Domain smartproxy[.]org Lookalike domain impersonating Smartproxy 
Domain ipidea[.]org Lookalike domain impersonating IPIDEA proxy provider 
Domain proxyreviews[.]org Fake independent proxy review site 
Domain update.whtatsapp[.]net WhatsApp lookalike payload delivery domain 
Domain update.wirevpn[.]app WireVPN payload delivery subdomain 
Domain api.betflixfree[.]net Shared backend API domain 
Domain api.isharkvpn[.]com Shared backend API domain 
Domain api.snaptik[.]io Shared backend API domain 
Domain api.wirevpn[.]app Shared backend API domain 
Domain api.wirevpn[.]io Shared backend API domain 
Domain wirevpn[.]app WireVPN branded C2/traffic domain 
Domain wirevpn[.]cc WireVPN branded C2/traffic domain 
Domain wirevpn[.]io WireVPN branded C2/traffic domain 
Domain abc.breakoursilence[.]com Benign-looking traffic forwarding host 
Domain bin.visitbenin[.]org Benign-looking traffic forwarding host 
Domain cate.norton-com-nu16[.]com Benign-looking traffic forwarding host 
Domain 911proxy[.]com Lookalike proxy service storefront 
URL hxxps://iplogger[.]com/mnWD Hardcoded telemetry beacon linking campaigns 
File hero.exe Primary payload in original 7-Zip campaign 
File uphero.exe Service manager/update loader component 
File wire.exe Primary payload in WireVPN campaign 
File upwire.exe Service manager/update loader component 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes appeared first on Cyber Security News.