Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
July 8, 2026
Fake Indian Tax Notices Deliver Dual RAT Malware
July 8, 2026
Home/Threats/Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
Threats

Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers

Key Takeaways A sophisticated cybercriminal group, dubbed “Lurking Lizard,” has been operating since at least August 2022, transforming unsuspecting users’ computers into...

Marcus Rodriguez
Marcus Rodriguez
July 8, 2026 4 Min Read
4 0

Key Takeaways

  • A sophisticated cybercriminal group, dubbed “Lurking Lizard,” has been operating since at least August 2022, transforming unsuspecting users’ computers into residential proxy nodes.
  • The attackers initially tricked victims into installing malware disguised as legitimate software, most notably fake 7-Zip archiving tool installers found on lookalike websites.
  • The operation has since diversified, leveraging over 230 domains and rebranding under various guises, including a fake VPN application called WireVPN, which has garnered over a million Android downloads.
  • Victims’ internet bandwidth is covertly rented out to paying customers, without their knowledge or consent, fueling a lucrative proxy service business for the threat actor.
  • The group demonstrates a high degree of operational maturity, utilizing domain drop-catching, shared infrastructure, and legitimate-looking code signing certificates to evade detection.

Cybercriminals Exploit Fake 7-Zip Installers to Build Covert Proxy Network

A persistent cybercriminal syndicate, identified as “Lurking Lizard,” has been systematically compromising personal computers since at least August 2022, covertly converting them into residential proxy servers. The group initially lured victims through deceptive installers for popular software, prominently featuring a counterfeit version of the widely used 7-Zip file compression tool. Instead of receiving the genuine software, users inadvertently installed malicious code that silently leased their internet connections to paying clients, unbeknownst to the device owners.

Table Of Content

  • Key Takeaways
  • Cybercriminals Exploit Fake 7-Zip Installers to Build Covert Proxy Network
  • The Lurking Lizard Operation: An End-to-End Proxy Business
  • Deceptive Tactics: Drop-Catching and IPLogger Tracking
  • WireVPN: The Latest Evolution of Lurking Lizard
  • What You Should Do

The extensive campaign came to light in early 2026 after a fake 7-Zip installer was discovered on 7zip[.]com, a domain closely mimicking the official 7-zip[.]org site. What initially appeared to be an isolated incident quickly unraveled into a much broader, long-running scheme. Researchers traced the operation back several years, uncovering a sophisticated network built upon dozens of fraudulent software brands.

The Lurking Lizard Operation: An End-to-End Proxy Business

Security researchers at Infoblox were instrumental in identifying the group responsible for this activity, naming them Lurking Lizard. Infoblox said in a report that the threat actor manages a comprehensive proxy business. This includes everything from deceiving users into installing malware to reselling their compromised bandwidth through a network of fabricated proxy service storefronts. Infoblox’s threat intelligence team meticulously connected various elements of the operation, including domain registration records, shared code signatures, and unique tracking artifacts embedded within the malware samples.

The sheer scale of the Lurking Lizard operation is particularly noteworthy. Infoblox discovered over 230 domains linked to the same actor, encompassing a diverse array of fraudulent offerings. These included fake VPN applications, counterfeit download tools, and even seemingly independent proxy provider websites, all designed to mask the underlying criminal enterprise. Analysis of domain registration data and recurring registrant names strongly suggests that the operator is based in China.

Rather than ceasing operations after initial exposure, the group has demonstrated remarkable adaptability, appearing to simply rebrand and continue its activities under new aliases and guises.

Deceptive Tactics: Drop-Catching and IPLogger Tracking

The fake 7-Zip campaign strategically leveraged a technique known as drop-catching. This involves acquiring expired domain names to inherit their pre-existing search engine reputation. In the case of 7zip[.]com, the domain had been erroneously cited in online forums for years, inadvertently building a level of credibility that the attackers exploited upon its acquisition. Investigators identified at least seven additional drop-catch domains tied to the same actor, with some registrations dating as far back as 2004.

A critical piece of evidence linking the seemingly disparate campaigns was a hardcoded IPLogger tracking link embedded within various malware samples. This single link provided a clear connection between the fake 7-Zip installers and other deceptive lures, such as bogus TikTok and YouTube downloader tools, and more recently, a fraudulent VPN application known as WireVPN. Infoblox emphasized that consistent WHOIS registrant names, identical tracker codes, and matching backend server infrastructures across dozens of domains provided undeniable evidence of a unified, coordinated effort.

WireVPN: The Latest Evolution of Lurking Lizard

The Lurking Lizard operation has evolved, with its current iteration manifesting as WireVPN. This fake VPN application is available on both the Apple App Store and Google Play, with reported downloads exceeding one million on Android platforms alone. Despite purporting to offer VPN services, testing revealed that WireVPN does not function as a legitimate VPN. Instead, the application was observed making numerous connections to unrelated IP addresses and opening multiple simultaneous connections—a pattern consistent with its role as an exit node for third-party internet traffic, rather than securing the user’s own connection.

What You Should Do

  • Verify Software Sources: Always download software, especially essential tools like file archivers and VPNs, directly from the official vendor’s website. Avoid downloading from unofficial sources, search engine results, or third-party download sites that may host malicious versions.
  • Examine Domain Names Closely: Pay meticulous attention to domain names. Cybercriminals often use subtle misspellings or alternative top-level domains (e.g., .com instead of .org) to trick users.
  • Scrutinize App Publisher Details: Before installing any application, particularly from app stores, thoroughly check the publisher’s name, reputation, and reviews. Be wary of generic or newly registered publisher accounts, even if the app has a valid-looking code signing certificate.
  • Monitor Network Traffic: For security teams, actively monitor network traffic for suspicious connections, especially those originating from unexpected processes or communicating with the Indicators of Compromise (IoCs) provided by Infoblox.
  • Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and block malicious executables and anomalous process behavior associated with proxy malware.
  • Educate Users: Conduct regular cybersecurity awareness training to inform users about the dangers of downloading software from unverified sources and recognizing phishing attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Fake Indian Tax Notices Deliver Dual RAT Malware

Next Post

ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CrowdStrike Reveals 5 New AI Prompt Injection Techniques
July 8, 2026
Claude Cowork Critical Flaw Exposes AI Sessions to Remote Access
July 8, 2026
Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us