Cybersecurity experts have identified a malicious campaign orchestrated by a group dubbed ‘Lurking Lizard,’ which has been operating an extensive network of over 230 deceptive domains to distribute compromised software installers. This operation, active since at least August 2022, aims to transform unsuspecting users’ devices into residential proxy nodes without their consent.
One notable tactic involves a counterfeit 7-Zip installer hosted on the domain ‘7zip[.]com,’ a misleading address that closely resembles the legitimate ‘7-zip.org.’ Users downloading and installing this fake software inadvertently allow their devices to be co-opted into a proxy network, facilitating various illicit activities.
Lurking Lizard’s strategy extends beyond 7-Zip. The group has been found impersonating reputable proxy service providers such as IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy. They have even established fake ‘independent’ review sites to funnel traffic toward their fraudulent services. Notably, IPIDEA’s infrastructure was dismantled by Google in January 2026, highlighting the ongoing battle against such deceptive operations.
Further investigations revealed that 773,087 unique IP addresses associated with SmartProxy were also present in a publicly available dataset from IPIDEA, which contained over 16 million unique IPs. This overlap suggests that SmartProxy may either be reselling IPIDEA’s infrastructure or heavily relying on it for its IP sources.
Analyses of WHOIS data and infrastructure patterns indicate that Lurking Lizard operates out of China. Their scheme also leverages popular VPNs and services like HeroSMS as decoys to disseminate proxy malware. A key aspect of their method involves ‘drop-catching,’ where they acquire expired domains to exploit their established credibility. For instance, by using ‘7zip[.]com’ instead of the correct ‘7-zip.org,’ they capitalize on common typographical errors to deceive users.
Examination of an IPLogger URL (‘iplogger[.]com/mnWD’) embedded within the malicious 7-Zip installer revealed that the same infrastructure is used to distribute fake installers for other applications, including WhatsApp, TikTok and YouTube downloaders, and WireVPN. This indicates a broad and adaptable approach to ensnaring victims across various platforms.
The campaign has evolved to target multiple operating systems, including Android, macOS, and Windows. A particular Android application, ‘wirevpn – Fast Unlimited Proxy,’ developed by a UK-based company named WEILAI NETWORK TECHNOLOGY CO., LIMITED, has garnered over a million downloads. However, the authenticity of these download figures remains uncertain.
Initially, victims were lured to malicious installers through tutorial content, search engine manipulation, and deceptive domains. While it’s unclear if these same techniques are being used for the current desktop variants, the mobile applications may serve as an additional vector for victim acquisition.
It’s also uncertain whether the proxy functionality—turning devices into exit nodes for routing third-party traffic—is present in the mobile applications or limited to desktop versions. Regardless, this operation exemplifies a sophisticated and coordinated effort encompassing victim acquisition, proxy infrastructure development, marketing, and monetization.
This case underscores the critical importance of downloading software exclusively from official and verified sources. Users should exercise caution with domains that closely mimic legitimate ones and remain vigilant against unsolicited software offerings. The evolving nature of such threats highlights the need for continuous awareness and proactive cybersecurity measures to protect personal and organizational digital assets.