Home/ Blog/ Security news/ Article
Blog · Security news

A fake 7-Zip installer rents your server out as a residential proxy, and file scans miss it

A trojanized 7-Zip and VPN campaign called Lurking Lizard turns servers and PCs into residential proxy nodes. Why file scans miss it, and how to actually

Small house-shaped node with many faint lines passing through it in dark space

The residential proxy business has a supply problem, and your servers are the answer to it. Operators who resell access to real home and business IP addresses need a steady stream of live machines to route other people's traffic through. One long-running operation has been meeting that demand by hiding its enrollment malware inside software people install on purpose: a fake 7-Zip, a fake VPN, fake media downloaders. You install the app, you get a working tool, and you hand a stranger a slice of your network at the same time.

DNS intelligence firm Infoblox published research this week on the actor it calls Lurking Lizard, mapping more than 230 lookalike domains and a chain of trojanized installers active since at least August 2022. Security Affairs and other outlets carried it. Most of the coverage led with the fake 7-Zip. The part that matters for anyone running infrastructure is quieter: what these installers do to a machine, and why the checks most shops rely on do not see it.

Why a server is the prize, not a casualty

The framing in most reports is consumer: someone searches for a free tool, grabs the wrong download, and their laptop joins a botnet. That is real, but it undersells who the operators actually want. A residential proxy is valued on how trusted and how stable its IP is. A phone drops off Wi-Fi, changes networks, and sits behind carrier-grade NAT. A server does none of that. It is always on, it holds a static address, and that address usually lives in a hosting or business netblock with a clean reputation. A developer workstation is nearly as good.

So the machines your team runs are not collateral damage in this campaign, they are the high-value inventory. A compromised build box or a small business file server is worth more to a proxy reseller than a hundred flaky consumer handsets, because its traffic blends in and stays up. That reframes the risk: this is not a home-user story you can wave off, it is an exposure for exactly the fleets a security team is paid to watch.

The infection barely registers as an infection

Here is what makes it slippery. On Windows, the malicious build installs a real, working copy of the advertised app, then drops a small helper process next to it in a system directory. Infoblox observed consistent naming across variants: the fake 7-Zip shipped its own pair of worker binaries alongside the archiver, and the lookalike VPN app Infoblox tracked as WireVPN did the same. Some Windows variants were signed with a legitimate code-signing certificate, so a signature check passes. The app runs. The user is happy. Nothing throws an alert.

An on-disk scan is the wrong instrument for this. The durable evidence is not a file, it is the traffic. A real VPN client opens one stable tunnel to a fixed endpoint. This proxyware opens many concurrent connections across a rotating set of hosts, because it is relaying strangers' traffic through your address. That shape is the signature. If your detection depends on matching a known-bad binary, you will miss it; if it watches how a host talks to the internet, you have a real chance.

What you can watchA real VPN clientProxyware node
Outbound connectionsOne stable tunnel to a fixed serverMany concurrent links to changing hosts
Whose traffic flowsYours, going outStrangers routed through your address
Extra processesA single signed clientA helper binary running beside the app
Where it sitsNormal install pathSystem folder, next to a working installer
Best place to catch itApp inventoryEgress shape and DNS, not file scans
How a residential-proxy infection looks different from a real VPN. Source: Infoblox.

We have made this point on a different case. When law enforcement moved against the NetNut proxy network, according to reports at the time, the takedown removed the storefront but not the roughly two million already-infected devices, which kept relaying. The lesson repeats here: the payload is designed to be a quiet, long-lived tenant, not a smash-and-grab.

Aged domains slip past your newly-registered blocklist

The delivery side has its own trick worth calling out, because it defeats a control a lot of teams lean on. Lurking Lizard did not just register fresh lookalike domains. Infoblox describes it acquiring expired domains to inherit their history, a practice called drop-catching. A domain that was legitimate last year, then quietly dropped and re-registered, carries aged records and prior reputation. That matters because a common detection heuristic is to distrust newly registered domains. An aged, re-caught domain sails straight through that filter.

The registration date is not the signal you think it is. If your DNS filtering blocks or flags domains only by how young they are, this operation is built to walk past it. The more reliable tells are the resolution pattern and the lookalike itself: a download served from 7zip.com when the real project lives at 7-zip.org, or a VPN brand you have never heard of resolving through infrastructure that also fronts a row of fake proxy storefronts. We covered a related version of the domain problem when attackers began registering the web addresses AI assistants hallucinate; the common thread is that the name looks trustworthy right up until it isn't.

Seizing one operator does not shrink the market

Step back and the individual campaign matters less than the machine it feeds. Residential proxy access is a commodity now, sold as unlimited pools to anyone with a use for a clean home IP: ad fraud, credential stuffing, scraping, sanctions evasion. A fraud researcher quoted in the reporting lays out the business model: a small operator blends the devices it has infected with proxy capacity it buys wholesale from bigger networks, then sells the mixed pool onward through lookalike storefronts and fake review sites. Lurking Lizard is one supplier feeding a market with many buyers and many sellers.

That structure is why enforcement keeps landing and the problem keeps standing. We wrote about millions of hacked TV boxes renting attackers a trusted home IP, and about the reported action against NetNut. Each took down a storefront. Neither dented the demand, so the supply backfilled. Killing 230 domains hurts one operator's logistics for a while; it does not change the economics that make the next operator worth standing up. So the durable defense is not waiting for a takedown, it is making sure your machines never become inventory in the first place.

Watch egress before you trust the installer

Two habits close most of this exposure. First, tighten where software comes from. Install from the vendor's canonical domain only, and treat a lookalike, a download ad, or a search result that points anywhere else as untrusted by default. This is the same discipline that stops fake tools aimed at technical users, and it is cheap to enforce with an allowlist of approved sources. The neighboring risk of a rigged 7-Zip archive is a reminder that the same trusted-utility brand keeps getting abused.

Second, move detection to the network. On any host, a burst of concurrent outbound connections to many unrelated destinations, from a process that is not a browser or a known service, is worth an alert. Watching file changes in system directories helps you catch the helper binary that lands beside a freshly installed app, and file integrity monitoring is the right tool for that. Pair it with egress-focused hunting: query for hosts holding an unusual number of simultaneous outbound sessions, and for DNS lookups to software-lookalike domains. A managed detection layer that maps this to round-the-clock triage turns those signals into something acted on rather than logged. The point is the same either way: you will not find this by scanning for a bad file. You find it by noticing that a machine is doing work you never asked it to do.

Topics

Frequently asked questions

What is a residential proxy node and why would an attacker want my server?

A residential proxy node is a real machine that relays other people's internet traffic so it appears to come from that machine's address. Attackers prize servers and workstations because they are always on and hold stable IPs in trusted netblocks, which makes their relayed traffic harder to block than a phone's.

How do I tell if a device is being used as a proxy?

Watch the network, not just the disk. A device acting as a proxy opens many concurrent outbound connections to a rotating set of unrelated hosts, unlike a real VPN's single stable tunnel. A process that is not a browser or known service generating that pattern is the strongest tell.

Will antivirus catch this proxyware?

Often not on its own. According to Infoblox, the installers deliver a working copy of the advertised app and some Windows builds carry a valid code-signing certificate, so signature and reputation checks can pass. Detection is more reliable at the network layer, where the relaying behavior stands out.

Is the fake 7-Zip the only app involved in the Lurking Lizard campaign?

No. Infoblox reports the operation spans more than 230 lookalike domains and multiple trojanized apps, including a fake 7-Zip, a VPN app, and fake media downloaders, active since at least August 2022. The 7-Zip lure is the most visible piece, not the whole campaign.

Why don't takedowns stop residential proxy abuse?

Because the demand outlives any single operator. Residential proxy access is sold as a commodity, and resellers backfill supply from upstream pools when a network is seized. Reported takedowns like the action against NetNut removed storefronts but left infected devices relaying, so the market kept running.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.