VYPR
researchPublished Jul 8, 2026· 1 source

Lurking Lizard Turns Users into Proxy Nodes with Fake 7-Zip Installers

A sophisticated, long-running operation by the threat actor Lurking Lizard has been discovered, turning unsuspecting users' devices into proxy nodes by distributing malware disguised as legitimate software, most notably a fake 7-Zip installer.

A covert cybercriminal enterprise, operating since at least August 2022, has been systematically transforming victim devices into unauthorized proxy servers. This extensive operation, attributed to a China-based threat actor dubbed "Lurking Lizard" by Infoblox researchers, leverages malware disguised as popular software, including a convincing fake installer for the 7-Zip file compression utility. The campaign's sophistication lies in its ability to trick users into downloading malicious software that then rents out their internet connections to paying customers without consent.

The operation came to light in early 2026 when security analysts observed a fake 7-Zip installer being distributed from 7zip[.]com, a domain that mimicked the legitimate software's official site (7-zip[.]org). What initially appeared to be an isolated scam was soon revealed to be part of a much larger, interconnected network. Infoblox's threat intelligence team meticulously traced the activity, linking over 230 domains through shared code, tracking artifacts, and domain registration details, pointing to a coordinated, end-to-end proxy business.

Lurking Lizard employs a technique known as "drop-catching" to bolster the credibility of its malicious domains. By acquiring expired domains that have accumulated historical search engine reputation or forum mentions, the group can trick users into trusting them. The domain 7zip[.]com, for instance, had been referenced in online forums for years, lending it an air of legitimacy before it was compromised and used for malicious distribution.

A critical piece of evidence connecting the various lures used by Lurking Lizard was a hardcoded IPLogger tracking link embedded within the malware samples. This single tracking mechanism linked the fake 7-Zip installers to other seemingly unrelated malicious applications, including fake downloaders for platforms like TikTok and YouTube, and more recently, a fraudulent VPN application named WireVPN.

The evolution of the campaign is particularly concerning, with the fake 7-Zip operation morphing into the WireVPN application. This app has achieved significant distribution, reportedly amassing over one million downloads on Android alone via official app stores. Analysis of WireVPN revealed that instead of providing VPN services, it exhibited behavior consistent with acting as an exit point for external internet traffic, opening numerous connections to unrelated IP addresses.

Infoblox's investigation highlighted the actor's operational security, noting that even when exposed, the group appears to have simply rebranded and continued its activities. The use of valid-looking code signing certificates from registered companies further complicates detection efforts, making the malicious applications appear legitimate to unsuspecting users and even some security tools.

To mitigate the risks associated with such campaigns, Infoblox strongly advises users to exercise extreme caution when downloading software. It is crucial to verify official domains and avoid downloading from unofficial sources or search engine suggestions. Furthermore, users should carefully scrutinize app publisher details and be wary of applications that exhibit unusual network behavior, such as excessive or unexpected connections.

This ongoing operation by Lurking Lizard serves as a stark reminder that the convenience and ubiquity of software downloads can be exploited by sophisticated threat actors. The practice of turning legitimate user devices into proxy nodes without consent highlights a growing trend in cybercrime, where personal internet bandwidth is commodified and exploited for illicit purposes, underscoring the need for constant vigilance and robust security practices.

Synthesized by Vypr AI