Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes
A cybercriminal operation tracked as Lurking Lizard has been linked to fake software installers that quietly turn victim devices into residential proxy nodes.
The campaign gained attention after users downloaded a fake 7-Zip installer from 7zip[.]com instead of the official 7-Zip domain. The installer reportedly included the real archive tool to avoid suspicion while also installing hidden proxy components in the background.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
According to TechRadar, the fake site abused the trusted 7-Zip name and enrolled infected systems into a residential proxy network that could be rented to other cybercriminals.
Fake 7-Zip downloads hid proxy malware
The lure worked because many users search for 7-Zip by name and may not notice the difference between 7zip[.]com and the real project website.
The legitimate 7-Zip download page is hosted at 7-zip.org. Users who downloaded from the lookalike .com domain risked installing a trojanized package instead of only the trusted file archiver.
Windows Central reported that the fake installer dropped files under C:\Windows\SysWOW64\hero\, registered them as services, changed firewall behavior, profiled the system, and then enrolled the device into a proxy network.
| Item | Details |
|---|---|
| Threat actor | Lurking Lizard |
| Main lure | Fake 7-Zip installer |
| Impersonated domain | 7zip[.]com |
| Official 7-Zip domain | 7-zip[.]org |
| Reported payload goal | Turn infected devices into proxy nodes |
| Reported follow-on brand | WireVPN |
Why residential proxy malware is dangerous
Residential proxy malware lets attackers route internet traffic through infected home or office devices. That can make malicious activity appear to come from the victim’s IP address instead of the attacker’s own infrastructure.
MITRE ATT&CK describes proxy use as a way for adversaries to direct traffic through intermediaries, hide infrastructure, and disguise the source of network activity.
That makes proxy botnets useful for fraud, spam, credential attacks, ad abuse, account creation, scraping, phishing, and other activity where attackers want traffic to look like it comes from ordinary users.
- The victim may not notice that the device is relaying other people’s traffic.
- The victim’s IP address can appear in abuse logs.
- The device may show unusual bandwidth use.
- Attackers can sell access to the infected connection.
- Security tools may miss the infection if the visible app works normally.
Lurking Lizard used more than one software disguise
Infoblox researchers reportedly traced the 7-Zip campaign to a larger ecosystem of fake software and proxy-service domains. The company linked more than 230 domains to the same actor through shared tracking artifacts, registration clues, code reuse, and backend infrastructure.
The operation allegedly included fake VPN apps, fake downloader tools, fake proxy provider brands, and proxy review sites that looked independent.
This matters because a fake installer campaign can look isolated at first. When domains, payload names, tracker codes, certificates, and backend APIs overlap, the picture changes from a single scam into a long-running proxy business.
Drop-catching helped the fake domain look credible
The fake 7-Zip campaign used a domain that already had accidental visibility online. Infoblox said 7zip[.]com had appeared in older forum posts and references for years, even though the official project uses a different domain.
This kind of domain history can help attackers because users and search engines may treat an older domain as more familiar than a brand-new one.
MITRE’s spearphishing link technique explains that attackers can use links and social engineering text to send users to websites that prompt downloads or other actions.
The fake installer used the real app as cover
The fake download did not simply fail or show an error. Reports said it installed the real 7-Zip program, which made the infection harder for users to notice.
That cover tactic works because victims get the software they expected. If the archive tool opens and works, many users will not check what else the installer changed.
Windows Central’s report said the malicious package registered hidden components as Windows services with elevated privileges, then modified firewall rules and enrolled the machine into a residential proxy network.
| Observed behavior | Why it matters |
|---|---|
| Installs the real 7-Zip app | Reduces user suspicion |
| Drops hidden files | Adds malware components outside the visible app |
| Registers Windows services | Helps the malware start after reboot |
| Changes firewall rules | Allows proxy traffic to flow |
| Profiles the system | Collects information useful for proxy enrollment |
Windows services gave the malware persistence
One reason the infection could survive reboots was its use of Windows services. Services run in the background and can start automatically when Windows boots.
MITRE ATT&CK’s Windows Service technique says adversaries may create or modify services to repeatedly execute malicious payloads for persistence, and that services can run with elevated privileges.
For defenders, service creation after a consumer app install is a strong warning sign. A file archiver should not quietly create hidden services in system folders or change firewall rules for unexplained network traffic.
The campaign expanded beyond fake 7-Zip
Infoblox said a hardcoded IPLogger tracking link helped connect the 7-Zip campaign to other lures. These included fake TikTok and YouTube downloader tools, a WhatsApp lookalike delivery domain, and later activity tied to WireVPN.
The shared tracking link gave researchers a way to connect otherwise unrelated-looking domains and installers. Matching backend APIs and similar domain structures strengthened the link.
This shows how threat actors reuse infrastructure even when they change branding. A domain, file name, tracker code, or API endpoint can expose connections across campaigns that look separate to normal users.
WireVPN raised fresh concerns
Infoblox reported that the operation later appeared under a VPN-themed brand called WireVPN. The app was reportedly present on mobile app stores and had large Android download numbers.
Testing described in the report found that the app did not behave like a normal VPN. Instead, it reportedly pinged many unrelated IP addresses and opened several simultaneous connections, which is more consistent with acting as an exit point than protecting the user’s own traffic.
That distinction matters. A VPN should protect a user’s connection and route their traffic through controlled servers. A proxy-node app can do the opposite by letting other parties route traffic through the user’s device.
Why fake VPNs are especially risky
Fake VPNs create a dangerous trust problem. Users install them for privacy, but the app may expose their connection, device resources, or IP reputation to other people’s activity.
If an app sells or abuses user bandwidth without clear consent, the user becomes part of someone else’s infrastructure. That can create legal, security, and privacy risks even when the app looks professional and carries a valid-looking certificate.
The official 7-Zip site remains a useful example of why users should verify exact domains before downloading software. A small domain difference can separate a safe installer from a malicious clone.
Indicators linked to Lurking Lizard
Infoblox shared several domains, URLs, and file names tied to the reported operation. Defenders should use these indicators for hunting, but they should also monitor behavior because the actor can change domains and payload names.
| Type | Indicator | Description |
|---|---|---|
| Domain | 7zip[.]com | Fake 7-Zip installer distribution site |
| Domain | bintangwarisanhotel[.]com | Actor-controlled domain sharing tracker code with 7zip[.]com |
| Domain | smartproxy[.]org | Lookalike domain impersonating Smartproxy |
| Domain | ipidea[.]org | Lookalike domain impersonating IPIDEA proxy provider |
| Domain | proxyreviews[.]org | Fake independent proxy review site |
| Domain | update.whtatsapp[.]net | WhatsApp lookalike payload delivery domain |
| Domain | update.wirevpn[.]app | WireVPN payload delivery subdomain |
| Domain | api.betflixfree[.]net | Shared backend API domain |
| Domain | api.isharkvpn[.]com | Shared backend API domain |
| Domain | api.snaptik[.]io | Shared backend API domain |
| Domain | api.wirevpn[.]app | Shared backend API domain |
| Domain | api.wirevpn[.]io | Shared backend API domain |
| Domain | wirevpn[.]app | WireVPN branded traffic domain |
| Domain | wirevpn[.]cc | WireVPN branded traffic domain |
| Domain | wirevpn[.]io | WireVPN branded traffic domain |
| Domain | abc.breakoursilence[.]com | Benign-looking traffic forwarding host |
| Domain | bin.visitbenin[.]org | Benign-looking traffic forwarding host |
| Domain | cate.norton-com-nu16[.]com | Benign-looking traffic forwarding host |
| Domain | 911proxy[.]com | Lookalike proxy service storefront |
| URL | hxxps://iplogger[.]com/mnWD | Hardcoded telemetry beacon linking campaigns |
| File | hero.exe | Primary payload in original 7-Zip campaign |
| File | uphero.exe | Service manager or update loader component |
| File | wire.exe | Primary payload in WireVPN campaign |
| File | upwire.exe | Service manager or update loader component |
What security teams should monitor
Defenders should treat fake software installers as a full intrusion path, not just unwanted programs. If the installer creates services, changes firewall rules, and opens unexpected outbound connections, the system may already be part of a proxy network.
Monitoring should focus on suspicious service creation, unusual traffic from consumer software, unexpected files in system directories, and network patterns that suggest the device is relaying connections for others.
The MITRE Windows Service guidance supports monitoring new or modified services, while the MITRE Proxy technique explains why attackers use proxy layers to hide infrastructure and traffic sources.
- Block downloads from lookalike software domains.
- Alert on installers that create unexplained Windows services.
- Monitor new folders such as C:\Windows\SysWOW64\hero\.
- Review firewall rule changes after software installation.
- Investigate unknown services running with SYSTEM privileges.
- Watch for high-volume outbound connections to unrelated IP addresses.
- Compare downloaded installers against official vendor hashes when available.
Users should check the exact download domain
Users should avoid search-result shortcuts and download popular tools directly from official project pages. This is especially important for free tools such as archive utilities, VPNs, downloaders, media tools, and browser add-ons.
Users who installed 7-Zip from 7zip[.]com should disconnect the device from the internet, check for suspicious services and the reported hero folder, scan the system, and consider reinstalling Windows if compromise is confirmed.
TechRadar’s coverage also warned that malicious proxy access can help criminals hide activity such as phishing, business email compromise, data leaks, malware distribution, and ransomware operations.
Why the operation matters
Lurking Lizard shows how proxy malware can hide behind software that appears to work. The victim gets the expected app, but the device also becomes part of a paid network that serves someone else’s traffic.
The business model is simple but harmful. Attackers infect devices at scale, sell access to their bandwidth, and let customers use residential IP addresses for activity that becomes harder to trace back to the real operator.
The broader lesson matches the MITRE spearphishing link guidance: users can be pushed to malicious downloads through links that appear trustworthy. Verifying the exact domain remains one of the simplest ways to avoid these infections.
Proxy networks turn trust into infrastructure
The fake 7-Zip and WireVPN cases show two sides of the same problem. Attackers abuse trusted software names to get installed, then abuse the victim’s internet connection to make other activity look legitimate.
That makes detection difficult because the traffic may come from real homes, offices, and mobile devices. It also makes prevention more important because cleanup can require service removal, firewall repair, credential resets, and sometimes a full system rebuild.
The practical takeaway is simple: a program working as expected does not prove the installer was safe. Users and security teams should verify the publisher, the exact domain, and the system changes that happen after installation.
FAQ
Lurking Lizard is the name Infoblox uses for a cybercriminal operation linked to fake software installers, proxy service domains, and apps that allegedly turn victim devices into proxy nodes.
Users were tricked into downloading 7-Zip from 7zip.com instead of the official 7-zip.org domain. The installer reportedly installed the real app while also dropping hidden proxy components.
Proxy-node malware uses the victim’s internet connection to relay traffic for other people. This can make criminal or abusive traffic appear to come from the victim’s IP address.
WireVPN is a later VPN-themed brand that Infoblox linked to the same broader Lurking Lizard ecosystem. Researchers said its network behavior looked more like a proxy exit-node system than a normal VPN service.
Users should download software only from official vendor domains, check the exact URL before installing, avoid search-result lookalikes, and scan any system that installed software from an unofficial site.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages