The residential proxy business has a supply problem, and your servers are the answer to it. Operators who resell access to real home and business IP addresses need a steady stream of live machines to route other people's traffic through. One long-running operation has been meeting that demand by hiding its enrollment malware inside software people install on purpose: a fake 7-Zip, a fake VPN, fake media downloaders. You install the app, you get a working tool, and you hand a stranger a slice of your network at the same time.
DNS intelligence firm Infoblox published research this week on the actor it calls Lurking Lizard, mapping more than 230 lookalike domains and a chain of trojanized installers active since at least August 2022. Security Affairs and other outlets carried it. Most of the coverage led with the fake 7-Zip. The part that matters for anyone running infrastructure is quieter: what these installers do to a machine, and why the checks most shops rely on do not see it.
Why a server is the prize, not a casualty
The framing in most reports is consumer: someone searches for a free tool, grabs the wrong download, and their laptop joins a botnet. That is real, but it undersells who the operators actually want. A residential proxy is valued on how trusted and how stable its IP is. A phone drops off Wi-Fi, changes networks, and sits behind carrier-grade NAT. A server does none of that. It is always on, it holds a static address, and that address usually lives in a hosting or business netblock with a clean reputation. A developer workstation is nearly as good.
So the machines your team runs are not collateral damage in this campaign, they are the high-value inventory. A compromised build box or a small business file server is worth more to a proxy reseller than a hundred flaky consumer handsets, because its traffic blends in and stays up. That reframes the risk: this is not a home-user story you can wave off, it is an exposure for exactly the fleets a security team is paid to watch.
The infection barely registers as an infection
Here is what makes it slippery. On Windows, the malicious build installs a real, working copy of the advertised app, then drops a small helper process next to it in a system directory. Infoblox observed consistent naming across variants: the fake 7-Zip shipped its own pair of worker binaries alongside the archiver, and the lookalike VPN app Infoblox tracked as WireVPN did the same. Some Windows variants were signed with a legitimate code-signing certificate, so a signature check passes. The app runs. The user is happy. Nothing throws an alert.
An on-disk scan is the wrong instrument for this. The durable evidence is not a file, it is the traffic. A real VPN client opens one stable tunnel to a fixed endpoint. This proxyware opens many concurrent connections across a rotating set of hosts, because it is relaying strangers' traffic through your address. That shape is the signature. If your detection depends on matching a known-bad binary, you will miss it; if it watches how a host talks to the internet, you have a real chance.
| What you can watch | A real VPN client | Proxyware node |
|---|---|---|
| Outbound connections | One stable tunnel to a fixed server | Many concurrent links to changing hosts |
| Whose traffic flows | Yours, going out | Strangers routed through your address |
| Extra processes | A single signed client | A helper binary running beside the app |
| Where it sits | Normal install path | System folder, next to a working installer |
| Best place to catch it | App inventory | Egress shape and DNS, not file scans |
We have made this point on a different case. When law enforcement moved against the NetNut proxy network, according to reports at the time, the takedown removed the storefront but not the roughly two million already-infected devices, which kept relaying. The lesson repeats here: the payload is designed to be a quiet, long-lived tenant, not a smash-and-grab.
Aged domains slip past your newly-registered blocklist
The delivery side has its own trick worth calling out, because it defeats a control a lot of teams lean on. Lurking Lizard did not just register fresh lookalike domains. Infoblox describes it acquiring expired domains to inherit their history, a practice called drop-catching. A domain that was legitimate last year, then quietly dropped and re-registered, carries aged records and prior reputation. That matters because a common detection heuristic is to distrust newly registered domains. An aged, re-caught domain sails straight through that filter.
The registration date is not the signal you think it is. If your DNS filtering blocks or flags domains only by how young they are, this operation is built to walk past it. The more reliable tells are the resolution pattern and the lookalike itself: a download served from 7zip.com when the real project lives at 7-zip.org, or a VPN brand you have never heard of resolving through infrastructure that also fronts a row of fake proxy storefronts. We covered a related version of the domain problem when attackers began registering the web addresses AI assistants hallucinate; the common thread is that the name looks trustworthy right up until it isn't.
Seizing one operator does not shrink the market
Step back and the individual campaign matters less than the machine it feeds. Residential proxy access is a commodity now, sold as unlimited pools to anyone with a use for a clean home IP: ad fraud, credential stuffing, scraping, sanctions evasion. A fraud researcher quoted in the reporting lays out the business model: a small operator blends the devices it has infected with proxy capacity it buys wholesale from bigger networks, then sells the mixed pool onward through lookalike storefronts and fake review sites. Lurking Lizard is one supplier feeding a market with many buyers and many sellers.
That structure is why enforcement keeps landing and the problem keeps standing. We wrote about millions of hacked TV boxes renting attackers a trusted home IP, and about the reported action against NetNut. Each took down a storefront. Neither dented the demand, so the supply backfilled. Killing 230 domains hurts one operator's logistics for a while; it does not change the economics that make the next operator worth standing up. So the durable defense is not waiting for a takedown, it is making sure your machines never become inventory in the first place.
Watch egress before you trust the installer
Two habits close most of this exposure. First, tighten where software comes from. Install from the vendor's canonical domain only, and treat a lookalike, a download ad, or a search result that points anywhere else as untrusted by default. This is the same discipline that stops fake tools aimed at technical users, and it is cheap to enforce with an allowlist of approved sources. The neighboring risk of a rigged 7-Zip archive is a reminder that the same trusted-utility brand keeps getting abused.
Second, move detection to the network. On any host, a burst of concurrent outbound connections to many unrelated destinations, from a process that is not a browser or a known service, is worth an alert. Watching file changes in system directories helps you catch the helper binary that lands beside a freshly installed app, and file integrity monitoring is the right tool for that. Pair it with egress-focused hunting: query for hosts holding an unusual number of simultaneous outbound sessions, and for DNS lookups to software-lookalike domains. A managed detection layer that maps this to round-the-clock triage turns those signals into something acted on rather than logged. The point is the same either way: you will not find this by scanning for a bad file. You find it by noticing that a machine is doing work you never asked it to do.