Skip to main content
Emerging ThreatsMalware & Ransomware

Malicious 7-Zip Installers Fuel Residential Proxy Botnet

Dimly lit room with scattered devices and tangled cables suggests makeshift indoor operation.

"773,087 unique IP addresses linked to SmartProxy were also present in a publicly available IPIDEA IP dataset comprising 16,192,293 unique IPs."

Lurking Lizard: an end-to-end residential proxy business

Cybersecurity researchers have disclosed a coordinated, multi-year operation by an actor the researchers call "Lurking Lizard." According to DNS threat intelligence firm Infoblox, the actor has been running an end-to-end malicious residential proxy business built on more than 230 lookalike domains and a chain of recruitment, marketing and monetization activities dating back to at least August 2022.

Infoblox describes the scheme as moving through two distinct stages: trojanized installers, mobile applications and other lures recruit victim devices into an actor-controlled proxy botnet; the resulting device pool is monetized through lookalike proxy service brands while fake review sites drive traffic to the actor’s storefronts.

Trojanized installers and lookalike domains — the 7-Zip case

An early campaign observed this year used a trojanized 7-Zip installer hosted on a domain named "7zip[.]com" to covertly recruit compromised devices as proxy nodes. The attacker’s technique included acquiring expired domains (drop-catching) to inherit accumulated history and legitimacy and exploiting common mistakes in domain names — for example, taking advantage of the perceived legitimacy of "7zip[.]com" versus the legitimate "7-zip[.]org."

Infoblox noted that victims were directed to malicious installers through tutorial content, search-driven discovery and lookalike domains. Embedded in the malicious samples was an IPLogger URL ("iplogger[.]com/mnWD"); subsequent analysis showed that the same infrastructure served fake installers for 7-Zip, WhatsApp, purported TikTok and YouTube downloaders, and WireVPN.

Infrastructure links: IPIDEA, SmartProxy, and Google’s takedown

Lurking Lizard has impersonated established proxy providers — IPIDEA, SmartProxy (now Decodo), IP Royal and 911Proxy — and has operated fake “independent” review sites to steer customers to its own storefronts. Proxyway researchers found that 773,087 unique IP addresses tied to SmartProxy were also present in a publicly available IPIDEA dataset of 16,192,293 unique IPs, a finding Proxyway says indicates SmartProxy either resells IPIDEA’s infrastructure directly or uses it as a significant IP source.

Infoblox’s WHOIS analysis and infrastructure fingerprinting suggest Lurking Lizard is China-based. The scheme’s infrastructure has also intersected the wider proxy ecosystem: the reporting notes that IPIDEA’s infrastructure was dismantled by Google in an operation earlier this January, and that Google in recent days had also announced action degrading NetNut (aka Popa), a residential proxy network that turned at least 2 million devices into conduits for unauthorized traffic.

Google warned that such activity "creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities," and that device owners can have legitimate traffic flagged or blocked by service providers.

Mobile evolution: WireVPN apps and distribution channels

The campaign has broadened beyond desktop installers into mobile applications and multi-OS lures. Reporting shows the actor has used WireVPN branding and popular VPNs and services like HeroSMS as decoys. One Android application — "wirevpn - Fast Unlimited Proxy" — developed by a U.K.-based firm named WEILAI NETWORK TECHNOLOGY CO., LIMITED, has amassed more than 1 million downloads, although the researchers say it is unclear whether those downloads are organic.

Infoblox observers note it is not yet clear whether the same proxy exit-node functionality present in desktop variants also exists in the mobile applications; nonetheless, the mobile channel may be an additional acquisition pathway feeding the proxy business.

What this means for technologists, proxy providers, and device owners

  • Technologists and security teams: Watch for trojanized installers distributed through lookalike domains and tutorial content, and monitor for unusual outbound proxying patterns. The reuse of IPLogger infrastructure across multiple fake installers suggests activity clusters that defenders can use to hunt and block.
  • Proxy providers and marketplaces: Expect brand impersonation and resale overlap to complicate attribution and trust. The substantive IP overlap between SmartProxy and an IPIDEA dataset highlights how resale or shared sourcing can obscure the provenance of residential IP pools.
  • Device owners and end users: Be cautious of installers and apps that mimic popular tools and of domains that look visually similar to trusted sites; the operation has specifically exploited common naming mistakes and expired-domain acquisition to inherit perceived legitimacy.

Infoblox summed up the operation’s significance this way: "Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network." Whether defenders can disrupt the full lifecycle — from acquisition channels to storefront monetization — remains an open and urgent question, particularly as actors adapt by moving into mobile channels and leveraging third-party services as distribution decoys.

https://thehackernews.com/2026/07/fake-7-zip-installers-turn-devices-into.html