Fake 7-Zip Installers and VPN Apps Are Quietly Turning Your Devices Into Proxy Nodes

A China-linked threat actor known as Lurking Lizard has built a sprawling residential proxy operation using trojanized software, fake review sites, and more than 230 lookalike domains — with over a million mobile downloads already recorded.

Fake 7-Zip Installers and VPN Apps Are Quietly Turning Your Devices Into Proxy Nodes

A Sprawling Proxy Botnet Hidden in Plain Sight

A sophisticated and long-running cybercriminal operation has been quietly conscripting ordinary devices — laptops, smartphones, and potentially smart TVs — into an unauthorized residential proxy network, leveraging fake software installers, counterfeit VPN applications, and an elaborate ecosystem of deceptive websites. The threat actor behind the campaign, dubbed Lurking Lizard by DNS threat intelligence firm Infoblox, has been active since at least August 2022 and operates what researchers describe as an end-to-end residential proxy malware business — one that recruits victims, monetizes their bandwidth, and markets the resulting network through fake storefronts, all under the same criminal umbrella.

The scale is significant. Infoblox's analysis identified more than 230 lookalike domains used as part of the infrastructure, while a related mobile application branded as a VPN — "wirevpn - Fast Unlimited Proxy," attributed to a UK-registered entity called WEILAI NETWORK TECHNOLOGY CO., LIMITED — has accumulated more than one million downloads. Whether those installs are organic remains unclear, but the figures underscore the operational reach of what researchers are calling one of the more architecturally complete proxy fraud schemes observed in recent years.

How Lurking Lizard Recruits Victims Through Fake Software

The most documented entry point involves a trojanized installer for 7-Zip, the widely used open-source file compression utility. Victims were directed to a domain named "7zip[.]com" — a deliberately chosen near-miss of the legitimate "7-zip[.]org" — where they downloaded what appeared to be a standard installer. In reality, the package covertly enrolled the device as a proxy exit node, routing third-party network traffic through the victim's IP address without their knowledge or consent.

Cybersecurity concept showing digital threat and network intrusion
Threat actors like Lurking Lizard exploit trusted software brands to distribute proxy malware across unsuspecting devices.

This technique — exploiting typosquatted or misreferenced domain names — is deceptively effective. Many users encountering a tutorial or search result linking to "7zip.com" would have no reason to question its legitimacy. Further analysis of an IPLogger URL embedded in the 7-Zip campaign samples revealed the same underlying infrastructure was also being used to distribute fake installers for WhatsApp, tools falsely marketed as TikTok and YouTube downloaders, and WireVPN — pointing to a coordinated multi-product distribution strategy rather than a one-off campaign.

According to The Hacker News, victims in the 7-Zip campaign were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains — a combination that speaks to the actor's understanding of how users actually find and download software. For IT decision makers and security professionals, this highlights a critical and persistent vulnerability: the gap between how users expect software distribution to work and the reality of what search engines and tutorial sites may serve them.

"Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network."

— Infoblox Threat Intelligence Research Team

Drop-Catching, Impersonation, and the Art of Borrowed Legitimacy

What distinguishes Lurking Lizard from many opportunistic threat actors is the sophistication of its domain acquisition strategy. The group is known to practice drop-catching — the technique of acquiring expired domains precisely to inherit their accumulated SEO history, backlink profiles, and residual trust signals. Rather than building credibility from scratch, the actor purchases legitimacy wholesale, using aged domains that search engines and users are already inclined to trust.

The group also actively impersonates established residential proxy providers, including IPIDEA, SmartProxy (now rebranded as Decodo), IP Royal, and 911Proxy. Notably, IPIDEA's infrastructure was dismantled by Google in an operation earlier this January, underscoring the fluid and adversarial relationship between major platform operators and these proxy networks. Further complicating the landscape, research by Proxyway found that 773,087 unique IP addresses linked to SmartProxy also appeared in a publicly available IPIDEA IP dataset comprising more than 16 million unique IPs — suggesting that the lines between legitimate proxy providers and criminal infrastructure may be blurrier than many enterprise buyers assume.

Beyond impersonating providers directly, Lurking Lizard runs fake "independent" review websites designed to funnel traffic toward its own scam storefronts. This creates a self-reinforcing ecosystem: victims find the malicious software through seemingly credible tutorials and search results, while potential proxy service customers are directed to Lurking Lizard's fake brands through equally fabricated review content. WHOIS analysis and infrastructure fingerprinting conducted by Infoblox suggest the actor is based in China, and the operation also uses popular VPNs and services like HeroSMS as decoys to distribute the proxy malware further.

230+Lookalike domains operated
1M+WireVPN mobile downloads
16.2MUnique IPs in IPIDEA dataset
2022Earliest known activity

The Mobile Dimension: VPN Apps as Residential Proxy Malware Vectors

The campaign's expansion into mobile represents a significant escalation in scope. The WireVPN branding — applied to applications targeting Android, macOS, and Windows — illustrates the actor's intent to build cross-platform coverage. The Android application "wirevpn - Fast Unlimited Proxy," developed under the UK-registered entity WEILAI NETWORK TECHNOLOGY CO., LIMITED, had surpassed one million downloads at the time of reporting.

Smartphone showing VPN application with security warning overlay
Mobile VPN apps have emerged as a key vector for residential proxy malware, with some applications accumulating millions of downloads before detection.

Researchers have not yet confirmed whether the proxy exit-node functionality present in the desktop variants is replicated in the mobile applications, but the possibility carries serious implications. VPN apps, by their nature, already request broad network permissions — making them an ideal vessel for covert proxy functionality that would be difficult for users to detect or distinguish from expected behavior. For privacy professionals and developers building applications on top of third-party SDKs or leveraging mobile VPN libraries, this underscores the need for rigorous supply chain vetting.

The concern is not merely theoretical. As Wired and other outlets have reported extensively, residential proxy networks built on compromised devices are frequently used to launder the origins of malicious traffic, bypass geo-restrictions, conduct credential stuffing attacks, and evade fraud detection systems — all while the device owner remains entirely unaware that their home IP address is being used as a launchpad.

Lurking Lizard vs. NetNut: Two Proxy Botnets Compared

The Lurking Lizard disclosure arrives just days after Google announced it had significantly disrupted the NetNut (also known as Popa) residential proxy network — a separate but structurally similar operation that turned at least 2 million devices, including smart TVs and streaming boxes, into unauthorized traffic conduits. NetNut achieved this through malware-laced SDKs that were either pre-installed on devices before purchase or bundled within apps containing hidden proxy code. The proximity of these two disclosures points to a broader industry reckoning with the scale and sophistication of the residential proxy fraud ecosystem.

Attribute Lurking Lizard NetNut / Popa
Primary vector Trojanized installers, fake VPN apps Malware-laced SDKs, pre-installed apps
Target devices Windows, macOS, Android Smart TVs, streaming boxes
Known scale 230+ domains; 1M+ mobile downloads At least 2 million devices
Monetization model Fake proxy service brands + review sites Proxy network resale
Disrupted by Ongoing (Infoblox disclosure) Google (announced recently)
Suspected origin China (WHOIS / infrastructure analysis) Not publicly attributed

Google's statement accompanying the NetNut takedown is worth quoting in context: "This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers." The same risk applies in full to Lurking Lizard's victims — and extends to any organization whose systems those residential IPs interact with.