Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Fake 7-Zip Installers and the Rise of Residential Proxy Networks: A Growing Threat to Cybersecurity



The world of cybersecurity has been abuzz with the recent revelation of a new threat actor, dubbed Lurking Lizard, that has been operating an end-to-end malicious residential proxy business. This operation utilizes more than 230 lookalike domains and employs a range of tactics to acquire victims and funnel third-party traffic through their infrastructure. As security experts continue to adapt to this evolving threat landscape, it is essential to remain vigilant and proactive in our efforts to protect ourselves against such threats.

  • The Lurking Lizard threat actor has been operating an end-to-end malicious residential proxy business since at least August 2022.
  • The operation uses over 230 lookalike domains and a trojanized 7-Zip installer to lure victims into becoming proxy nodes.
  • The actor acquires domains through "drop-catching" and impersonates major proxy providers to build trust with potential victims.
  • The operation uses popular VPNs and services as decoys to distribute proxy malware, adding complexity to their tactics.
  • The Lurking Lizard has employed a multi-pronged approach to target users across various operating systems, including Android, macOS, and Windows.
  • The actor may be reselling or using IPIDEA's infrastructure directly, linked to over 773,000 unique IP addresses in a public dataset.
  • The use of legitimate-sounding domain names has allowed the actor to build trust with potential victims, making it harder for security professionals to identify and block their malicious activities.



  • The world of cybersecurity has been abuzz with the recent revelation of a new threat actor, dubbed Lurking Lizard, that has been operating an end-to-end malicious residential proxy business. According to DNS threat intelligence firm Infoblox, this nefarious operation has been in effect since at least August 2022 and utilizes more than 230 lookalike domains.

    At the heart of this scheme is a cleverly disguised trojanized 7-Zip installer that has been used to lure unsuspecting victims into becoming proxy nodes. Once compromised, these devices are used to funnel third-party traffic through the actors' own infrastructure, essentially creating an end-to-end operation that spans victim acquisition, proxy infrastructure, marketing, and monetization.

    Lurking Lizard's modus operandi is quite ingenious. The actor acquires domains when they expire, a technique known as drop-catching, which allows them to inherit their accumulated history and legitimacy. Furthermore, the actor has been known to impersonate major proxy providers, including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, all in an effort to build trust with potential victims.

    One of the most striking aspects of this operation is its use of popular VPNs and services like HeroSMS as decoys to distribute proxy malware. This not only adds a layer of complexity but also underscores the actor's ability to adapt and evolve their tactics.

    The recent discovery of a 7-Zip installer that was used to recruit victims has shed light on the scale of this operation. According to Infoblox, the same underlying infrastructure used in this campaign has also been employed to serve fake installers for WhatsApp, TikTok downloaders, and WireVPN tools.

    This marks an interesting evolution in the Lurking Lizard's tactics, as they now employ a multi-pronged approach to target users across various operating systems, including Android, macOS, and Windows. One such Android app, wirevpn - Fast Unlimited Proxy, has amassed over 1 million downloads, although it is unclear whether these downloads are organic.

    The implications of this operation cannot be overstated. With over 773,000 unique IP addresses linked to SmartProxy being present in a publicly available IPIDEA IP dataset, it suggests that Lurking Lizard either resells IPIDEA's infrastructure directly or uses it as a significant IP source.

    Furthermore, the actor's use of legitimate-sounding domain names, such as "7-zip[.]org," has allowed them to build trust with potential victims. This drop-catching technique not only allows the actor to inherit the history and legitimacy of these domains but also makes it more challenging for security professionals to identify and block these malicious actors.

    In recent days, Google announced that they had significantly degraded the NetNut (aka Popa) residential proxy network, which turned at least 2 million devices into conduits for unauthorized network traffic through malware-laced SDKs. This development comes as a welcome relief, but it highlights the ongoing struggle to combat these types of threats.

    The emergence of Lurking Lizard serves as a stark reminder that the threat landscape is constantly evolving and that cybersecurity professionals must remain vigilant in their pursuit of detecting and disrupting such malicious activities.

    In light of this new information, security experts are urging users to exercise caution when interacting with software updates or downloading applications from unverified sources. The consequences of falling prey to these types of attacks can be severe, including the potential for unauthorized access to sensitive data or the compromise of entire networks.

    As the threat actor continues to adapt and evolve their tactics, it is essential that security professionals and individuals alike remain informed and proactive in their efforts to protect themselves against these types of threats. By staying vigilant and working together, we can help to mitigate the impact of such operations and create a safer digital landscape for all.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Fake-7-Zip-Installers-and-the-Rise-of-Residential-Proxy-Networks-A-Growing-Threat-to-Cybersecurity-ehn.shtml

  • https://thehackernews.com/2026/07/fake-7-zip-installers-turn-devices-into.html

  • https://cybersecuritynews.com/lurking-lizard-uses-fake-7-zip-installers/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://breach-hq.com/threat-actors


  • Published: Thu Jul 9 00:42:40 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us