Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

The Hacker News by The Hacker News
July 9, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains.

The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the actor luring victims with a trojanized 7-Zip installer hosted on a domain named “7zip[.]com,” covertly recruiting compromised devices as proxy nodes.

Lurking Lizard is also known to impersonate major proxy providers, including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, not to mention going to the extent of running fake “independent” review sites to drive traffic to its own scam storefronts. Interestingly, IPIDEA’s infrastructure was dismantled by Google in an operation earlier this January.

Subsequent findings from Proxyway have uncovered that 773,087 unique IP addresses linked to SmartProxy were also present in a publicly available IPIDEA IP dataset comprising 16,192,293 unique IPs, indicating SmartProxy either “resells IPIDEA’s infrastructure directly or uses it as a significant IP source.”

WHOIS analysis and infrastructure fingerprinting suggest that Lurking Lizard is a China-based actor, with the illicit scheme also using popular VPNs and services like HeroSMS as decoys to distribute the proxy malware.

One of the notable aspects of the adversary’s modus operandi revolves around acquiring domains when they expire to inherit their accumulated history and legitimacy, a technique known as drop-catching. In some cases, the attacker has taken advantage of the perceived legitimacy surrounding incorrectly referenced domain names (e.g., “7zip[.]com” instead of “7-zip[.]org”) to use them to their advantage.

Further analysis of the IPLogger URL (“iplogger[.]com/mnWD”) embedded within the samples tied to the 7-Zip campaign has uncovered that the same underlying infrastructure has been used to serve fake installers for 7-Zip, WhatsApp, tools falsely claiming TikTok and YouTube downloaders, and WireVPN.

The use of WireVPN branding represents the latest evolution of the campaign, using a multi-pronged approach to target users across operating systems, including Android, macOS, and Windows. One such Android app, called “wirevpn – Fast Unlimited Proxy” and developed by a U.K.-based firm named WEILAI NETWORK TECHNOLOGY CO., LIMITED, has amassed more than 1 million downloads, although it’s unclear if these downloads are organic.

“In the original 7-Zip campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains,” Infoblox said. “Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel.”

It’s also unclear if the same proxy functionality — i.e., an exit node funneling third-party traffic through victims’ devices — is present in the mobile applications, and if it’s just limited to the desktop applications. Regardless, they paint a picture of what appears to be an unlawful proxy business that fuels a coordinated ecosystem spanning victim acquisition, proxy infrastructure, marketing, and monetization.

The result is an end-to-end operation that goes through two distinct stages:

  • Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy botnet.
  • The pool is then monetized through lookalike proxy service brands, while fake review sites help drive traffic to the actor’s storefronts.

“We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising,” Infoblox said. “There’s an obvious story: Your TV may be part of a giant botnet conducting attacks across the internet. But the real story is far more complex, and solutions are still elusive.”

“Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network.”

The development comes days after Google announced that it had significantly degraded the NetNut (aka Popa) residential proxy network that turned at least 2 million devices, such as smart TVs and streaming boxes, into conduits for unauthorized network traffic through malware-laced SDKs that either come pre-installed before purchase or through apps containing hidden proxy code.

“This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities,” Google said. “Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers.”



Source link

The Hacker News

The Hacker News

Next Post
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

Recommended.

Overconfidence in cyber security: a silent catalyst for CNI breaches | Computer Weekly

Overconfidence in cyber security: a silent catalyst for CNI breaches | Computer Weekly

July 22, 2025
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

April 15, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio