Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes
Cybersecurity researchers uncover 'Lurking Lizard,' a sophisticated threat actor turning user devices into residential proxies through fake software.

This article is original editorial commentary written with AI assistance, based on publicly available reporting by The Hacker News. It is reviewed for accuracy and clarity before publication. See the original source linked below.
The discovery of "Lurking Lizard" marks a sophisticated evolution in the commodification of compromised hardware. Cybersecurity researchers at Infoblox have unveiled a sprawling operation that has, since at least August 2022, systematically tricked users into turning their own devices into nodes for a massive, illicit residential proxy network. By leveraging a network of over 230 "lookalike" domains, the threat actor targets individuals seeking common utility software, specifically the open-source file archiver 7-Zip. This campaign highlights a shift in cybercrime away from direct data theft and toward the silent hijacking of bandwidth and IP reputation.
Historically, the use of residential proxies has occupied a grey area of the internet. While legitimate services exist for market research and ad verification, threat actors crave residential IPs because they carry a high "trust score" compared to datacenter IPs. Traffic originating from a home office or a kitchen laptop is far less likely to trigger bot detection systems or CAPTCHAs. Lurking Lizard is not the first group to attempt to build such a network—predecessors like the "911.re" proxy service operated on similar principles—but the scale and duration of this specific infrastructure suggest a highly organized, end-to-end business model that has matured significantly over the past two years.
The mechanics of the Lurking Lizard operation rely on classic social engineering paired with modern SEO poisoning or malicious advertising (malvertising). When a user searches for "7-Zip download," they are directed to a deceptive domain that mirrors the official site’s layout and branding. Instead of the legitimate utility, the site delivers a "wrapper" or a modified installer. Once executed, the software installs the promised tool to avoid suspicion but simultaneously deploys a background service. This service connects the infected machine to a command-and-control (C2) server, effectively listing the user’s residential IP address as an available exit node for the attacker’s paying "clients."
From a business perspective, this represents the "Proxy-as-a-Service" (PaaS) model. Lurking Lizard acts as a middleman, selling access to these compromised IPs to other cybercriminals who use them for credential stuffing, scraping, or bypassing geo-restrictions. By maintaining over 200 domains, the group ensures high availability; if one domain is flagged by security vendors or Google Safe Browsing, dozens of others remain active to recruit new "nodes." For the victim, the impact is often subtle: a slight degradation in internet speed and the risk of their IP being blacklisted by legitimate services due to the malicious activity of the proxy’s "renters."
The implications for the broader cybersecurity landscape are troubling. This model democratizes high-level cyberattacks by providing low-cost, high-stealth infrastructure to even unsophisticated actors. It complicates the job of IT security teams who can no longer rely on simple IP reputation databases to block malicious traffic, as the traffic appears to come from a standard residential ISP. Furthermore, the use of open-source software like 7-Zip as a lure is particularly effective because such tools are ubiquitous and often lack the centralized, "verified" update mechanisms found in proprietary software suites from giants like Microsoft or Adobe.
Moving forward, the industry must watch for an increase in "living off the bandwidth" attacks. As more devices—from PCs to IoT hardware—become potential nodes, the focus of endpoint detection may need to shift from looking for data exfiltration to monitoring for unauthorized proxy protocols (like SOCKS5) running in the background. We should also expect tighter scrutiny on the domain registration process and the "lookalike" landscape. The ultimate challenge remains the human element: as long as users bypass official app stores in favor of top-tier search results, Lurking Lizard and its successors will continue to find a steady supply of unwitting hosts for their invisible networks.
Why it matters
- 01Lurking Lizard's use of 230 lookalike domains demonstrates a highly resilient infrastructure designed to survive individual domain takedowns.
- 02The shift toward 'Proxy-as-a-Service' allows low-level criminals to mask their identity using the high-trust reputation of residential IP addresses.
- 03The exploitation of open-source utilities like 7-Zip highlights a critical vulnerability in how users source and trust essential third-party software.