Lurking Lizard Uses Fake 7-Zip Installers to Turn Victim Devices Into Proxy Nodes


A cybercriminal operation tracked as Lurking Lizard has been linked to fake software installers that quietly turn victim devices into residential proxy nodes.

The campaign gained attention after users downloaded a fake 7-Zip installer from 7zip[.]com instead of the official 7-Zip domain. The installer reportedly included the real archive tool to avoid suspicion while also installing hidden proxy components in the background.

According to TechRadar, the fake site abused the trusted 7-Zip name and enrolled infected systems into a residential proxy network that could be rented to other cybercriminals.

Fake 7-Zip downloads hid proxy malware

The lure worked because many users search for 7-Zip by name and may not notice the difference between 7zip[.]com and the real project website.

The legitimate 7-Zip download page is hosted at 7-zip.org. Users who downloaded from the lookalike .com domain risked installing a trojanized package instead of only the trusted file archiver.

Windows Central reported that the fake installer dropped files under C:\Windows\SysWOW64\hero\, registered them as services, changed firewall behavior, profiled the system, and then enrolled the device into a proxy network.

ItemDetails
Threat actorLurking Lizard
Main lureFake 7-Zip installer
Impersonated domain7zip[.]com
Official 7-Zip domain7-zip[.]org
Reported payload goalTurn infected devices into proxy nodes
Reported follow-on brandWireVPN

Why residential proxy malware is dangerous

Residential proxy malware lets attackers route internet traffic through infected home or office devices. That can make malicious activity appear to come from the victim’s IP address instead of the attacker’s own infrastructure.

MITRE ATT&CK describes proxy use as a way for adversaries to direct traffic through intermediaries, hide infrastructure, and disguise the source of network activity.

That makes proxy botnets useful for fraud, spam, credential attacks, ad abuse, account creation, scraping, phishing, and other activity where attackers want traffic to look like it comes from ordinary users.

  • The victim may not notice that the device is relaying other people’s traffic.
  • The victim’s IP address can appear in abuse logs.
  • The device may show unusual bandwidth use.
  • Attackers can sell access to the infected connection.
  • Security tools may miss the infection if the visible app works normally.

Lurking Lizard used more than one software disguise

Infoblox researchers reportedly traced the 7-Zip campaign to a larger ecosystem of fake software and proxy-service domains. The company linked more than 230 domains to the same actor through shared tracking artifacts, registration clues, code reuse, and backend infrastructure.

The operation allegedly included fake VPN apps, fake downloader tools, fake proxy provider brands, and proxy review sites that looked independent.

This matters because a fake installer campaign can look isolated at first. When domains, payload names, tracker codes, certificates, and backend APIs overlap, the picture changes from a single scam into a long-running proxy business.

Drop-catching helped the fake domain look credible

The fake 7-Zip campaign used a domain that already had accidental visibility online. Infoblox said 7zip[.]com had appeared in older forum posts and references for years, even though the official project uses a different domain.

This kind of domain history can help attackers because users and search engines may treat an older domain as more familiar than a brand-new one.

MITRE’s spearphishing link technique explains that attackers can use links and social engineering text to send users to websites that prompt downloads or other actions.

The fake installer used the real app as cover

The fake download did not simply fail or show an error. Reports said it installed the real 7-Zip program, which made the infection harder for users to notice.

That cover tactic works because victims get the software they expected. If the archive tool opens and works, many users will not check what else the installer changed.

Windows Central’s report said the malicious package registered hidden components as Windows services with elevated privileges, then modified firewall rules and enrolled the machine into a residential proxy network.

Observed behaviorWhy it matters
Installs the real 7-Zip appReduces user suspicion
Drops hidden filesAdds malware components outside the visible app
Registers Windows servicesHelps the malware start after reboot
Changes firewall rulesAllows proxy traffic to flow
Profiles the systemCollects information useful for proxy enrollment

Windows services gave the malware persistence

One reason the infection could survive reboots was its use of Windows services. Services run in the background and can start automatically when Windows boots.

MITRE ATT&CK’s Windows Service technique says adversaries may create or modify services to repeatedly execute malicious payloads for persistence, and that services can run with elevated privileges.

For defenders, service creation after a consumer app install is a strong warning sign. A file archiver should not quietly create hidden services in system folders or change firewall rules for unexplained network traffic.

The campaign expanded beyond fake 7-Zip

Infoblox said a hardcoded IPLogger tracking link helped connect the 7-Zip campaign to other lures. These included fake TikTok and YouTube downloader tools, a WhatsApp lookalike delivery domain, and later activity tied to WireVPN.

The shared tracking link gave researchers a way to connect otherwise unrelated-looking domains and installers. Matching backend APIs and similar domain structures strengthened the link.

This shows how threat actors reuse infrastructure even when they change branding. A domain, file name, tracker code, or API endpoint can expose connections across campaigns that look separate to normal users.

WireVPN raised fresh concerns

Infoblox reported that the operation later appeared under a VPN-themed brand called WireVPN. The app was reportedly present on mobile app stores and had large Android download numbers.

Testing described in the report found that the app did not behave like a normal VPN. Instead, it reportedly pinged many unrelated IP addresses and opened several simultaneous connections, which is more consistent with acting as an exit point than protecting the user’s own traffic.

That distinction matters. A VPN should protect a user’s connection and route their traffic through controlled servers. A proxy-node app can do the opposite by letting other parties route traffic through the user’s device.

Why fake VPNs are especially risky

Fake VPNs create a dangerous trust problem. Users install them for privacy, but the app may expose their connection, device resources, or IP reputation to other people’s activity.

If an app sells or abuses user bandwidth without clear consent, the user becomes part of someone else’s infrastructure. That can create legal, security, and privacy risks even when the app looks professional and carries a valid-looking certificate.

The official 7-Zip site remains a useful example of why users should verify exact domains before downloading software. A small domain difference can separate a safe installer from a malicious clone.

Indicators linked to Lurking Lizard

Infoblox shared several domains, URLs, and file names tied to the reported operation. Defenders should use these indicators for hunting, but they should also monitor behavior because the actor can change domains and payload names.

TypeIndicatorDescription
Domain7zip[.]comFake 7-Zip installer distribution site
Domainbintangwarisanhotel[.]comActor-controlled domain sharing tracker code with 7zip[.]com
Domainsmartproxy[.]orgLookalike domain impersonating Smartproxy
Domainipidea[.]orgLookalike domain impersonating IPIDEA proxy provider
Domainproxyreviews[.]orgFake independent proxy review site
Domainupdate.whtatsapp[.]netWhatsApp lookalike payload delivery domain
Domainupdate.wirevpn[.]appWireVPN payload delivery subdomain
Domainapi.betflixfree[.]netShared backend API domain
Domainapi.isharkvpn[.]comShared backend API domain
Domainapi.snaptik[.]ioShared backend API domain
Domainapi.wirevpn[.]appShared backend API domain
Domainapi.wirevpn[.]ioShared backend API domain
Domainwirevpn[.]appWireVPN branded traffic domain
Domainwirevpn[.]ccWireVPN branded traffic domain
Domainwirevpn[.]ioWireVPN branded traffic domain
Domainabc.breakoursilence[.]comBenign-looking traffic forwarding host
Domainbin.visitbenin[.]orgBenign-looking traffic forwarding host
Domaincate.norton-com-nu16[.]comBenign-looking traffic forwarding host
Domain911proxy[.]comLookalike proxy service storefront
URLhxxps://iplogger[.]com/mnWDHardcoded telemetry beacon linking campaigns
Filehero.exePrimary payload in original 7-Zip campaign
Fileuphero.exeService manager or update loader component
Filewire.exePrimary payload in WireVPN campaign
Fileupwire.exeService manager or update loader component

What security teams should monitor

Defenders should treat fake software installers as a full intrusion path, not just unwanted programs. If the installer creates services, changes firewall rules, and opens unexpected outbound connections, the system may already be part of a proxy network.

Monitoring should focus on suspicious service creation, unusual traffic from consumer software, unexpected files in system directories, and network patterns that suggest the device is relaying connections for others.

The MITRE Windows Service guidance supports monitoring new or modified services, while the MITRE Proxy technique explains why attackers use proxy layers to hide infrastructure and traffic sources.

  1. Block downloads from lookalike software domains.
  2. Alert on installers that create unexplained Windows services.
  3. Monitor new folders such as C:\Windows\SysWOW64\hero\.
  4. Review firewall rule changes after software installation.
  5. Investigate unknown services running with SYSTEM privileges.
  6. Watch for high-volume outbound connections to unrelated IP addresses.
  7. Compare downloaded installers against official vendor hashes when available.

Users should check the exact download domain

Users should avoid search-result shortcuts and download popular tools directly from official project pages. This is especially important for free tools such as archive utilities, VPNs, downloaders, media tools, and browser add-ons.

Users who installed 7-Zip from 7zip[.]com should disconnect the device from the internet, check for suspicious services and the reported hero folder, scan the system, and consider reinstalling Windows if compromise is confirmed.

TechRadar’s coverage also warned that malicious proxy access can help criminals hide activity such as phishing, business email compromise, data leaks, malware distribution, and ransomware operations.

Why the operation matters

Lurking Lizard shows how proxy malware can hide behind software that appears to work. The victim gets the expected app, but the device also becomes part of a paid network that serves someone else’s traffic.

The business model is simple but harmful. Attackers infect devices at scale, sell access to their bandwidth, and let customers use residential IP addresses for activity that becomes harder to trace back to the real operator.

The broader lesson matches the MITRE spearphishing link guidance: users can be pushed to malicious downloads through links that appear trustworthy. Verifying the exact domain remains one of the simplest ways to avoid these infections.

Proxy networks turn trust into infrastructure

The fake 7-Zip and WireVPN cases show two sides of the same problem. Attackers abuse trusted software names to get installed, then abuse the victim’s internet connection to make other activity look legitimate.

That makes detection difficult because the traffic may come from real homes, offices, and mobile devices. It also makes prevention more important because cleanup can require service removal, firewall repair, credential resets, and sometimes a full system rebuild.

The practical takeaway is simple: a program working as expected does not prove the installer was safe. Users and security teams should verify the publisher, the exact domain, and the system changes that happen after installation.

FAQ

What is Lurking Lizard?

Lurking Lizard is the name Infoblox uses for a cybercriminal operation linked to fake software installers, proxy service domains, and apps that allegedly turn victim devices into proxy nodes.

How did the fake 7-Zip installer infect users?

Users were tricked into downloading 7-Zip from 7zip.com instead of the official 7-zip.org domain. The installer reportedly installed the real app while also dropping hidden proxy components.

What does proxy-node malware do?

Proxy-node malware uses the victim’s internet connection to relay traffic for other people. This can make criminal or abusive traffic appear to come from the victim’s IP address.

What is WireVPN in this campaign?

WireVPN is a later VPN-themed brand that Infoblox linked to the same broader Lurking Lizard ecosystem. Researchers said its network behavior looked more like a proxy exit-node system than a normal VPN service.

How can users avoid fake software installers?

Users should download software only from official vendor domains, check the exact URL before installing, avoid search-result lookalikes, and scan any system that installed software from an unofficial site.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages