Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Five Charged in “Russian Coms” Fraud Platform Case

July 14, 2026

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

July 14, 2026

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

July 14, 2026
Facebook X (Twitter) Instagram
Wednesday, July 15
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes
News

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Team-CWDBy Team-CWDJuly 14, 2026No Comments5 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains.

The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. One such campaign, observed earlier this year, involved the actor luring victims with a trojanized 7-Zip installer hosted on a domain named “7zip[.]com,” covertly recruiting compromised devices as proxy nodes.

Lurking Lizard is also known to impersonate major proxy providers, including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, not to mention going to the extent of running fake “independent” review sites to drive traffic to its own scam storefronts. Interestingly, IPIDEA’s infrastructure was dismantled by Google in an operation earlier this January.

Subsequent findings from Proxyway have uncovered that 773,087 unique IP addresses linked to SmartProxy were also present in a publicly available IPIDEA IP dataset comprising 16,192,293 unique IPs, indicating SmartProxy either “resells IPIDEA’s infrastructure directly or uses it as a significant IP source.”

WHOIS analysis and infrastructure fingerprinting suggest that Lurking Lizard is a China-based actor, with the illicit scheme also using popular VPNs and services like HeroSMS as decoys to distribute the proxy malware.

One of the notable aspects of the adversary’s modus operandi revolves around acquiring domains when they expire to inherit their accumulated history and legitimacy, a technique known as drop-catching. In some cases, the attacker has taken advantage of the perceived legitimacy surrounding incorrectly referenced domain names (e.g., “7zip[.]com” instead of “7-zip[.]org”) to use them to their advantage.

Further analysis of the IPLogger URL (“iplogger[.]com/mnWD”) embedded within the samples tied to the 7-Zip campaign has uncovered that the same underlying infrastructure has been used to serve fake installers for 7-Zip, WhatsApp, tools falsely claiming TikTok and YouTube downloaders, and WireVPN.

Infoblox says the use of WireVPN branding represents the latest evolution of the campaign, using a multi-pronged approach to target users across operating systems, including Android, macOS, and Windows. One such Android app, called “wirevpn – Fast Unlimited Proxy” and published under a U.K.-registered entity, WIRE LTD, has amassed more than 1 million downloads, although it’s unclear if these downloads are organic. Neither Infoblox nor The Hacker News has established that the files named wire.exe or upwire.exe were official WireVPN software or were distributed by WEILAI.

WEILAI NETWORK TECHNOLOGY CO., LIMITED, which operates WireVPN, disputes Infoblox’s findings. It denies enrolling users’ devices as residential proxy nodes or routing third-party traffic through their IP addresses, and says wire.exe and upwire.exe are not official WireVPN files.

“In the original 7-Zip campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains,” Infoblox said. “Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel.”

Infoblox analyzed only Windows samples and did not examine the mobile apps, and it characterized the exit-node behavior as pointing toward a proxy network while noting that further analysis is needed to fully characterize it. It’s also unclear if the same proxy functionality (an exit node funneling third-party traffic through victims’ devices) is present in the mobile applications, or if it’s limited to the desktop versions. Regardless, Infoblox says they paint a picture of what appears to be an unlawful proxy business that fuels a coordinated ecosystem spanning victim acquisition, proxy infrastructure, marketing, and monetization.

The result is an end-to-end operation that goes through two distinct stages:

  • Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy botnet.
  • The pool is then monetized through lookalike proxy service brands, while fake review sites help drive traffic to the actor’s storefronts.

“We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising,” Infoblox said. “There’s an obvious story: Your TV may be part of a giant botnet conducting attacks across the internet. But the real story is far more complex, and solutions are still elusive.”

“Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network.”

The development comes days after Google announced that it had significantly degraded the NetNut (aka Popa) residential proxy network that turned at least 2 million devices, such as smart TVs and streaming boxes, into conduits for unauthorized network traffic through malware-laced SDKs that either come pre-installed before purchase or through apps containing hidden proxy code.

“This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities,” Google said. “Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers.”

Note: Updated on July 12, 2026, to attribute the disputed findings to Infoblox, clarify the scope of its analysis, correct the developer entity of the Android app, and add WireVPN’s response.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticlePentagon Suspends CMMC Phase II Requirements for Defense Contractors
Next Article Five Charged in “Russian Coms” Fraud Platform Case
Team-CWD
  • Website

Related Posts

News

Five Charged in “Russian Coms” Fraud Platform Case

July 14, 2026
News

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

July 14, 2026
News

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

July 14, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What it is and how to protect yourself

January 8, 2026

A stealthy RAT burrowing deep into Android devices

May 26, 2026

The quest for greater tech independence

May 19, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.