Fake 7-Zip Installers Used to Create Residential Proxy Network
Threat actor 'Lurking Lizard' has been running a malicious proxy service using fake software installers since 2022. Over 230 domains were used to distribute malware disguised as legitimate applications.
TL;DR
- Cybercriminal group 'Lurking Lizard' operated a residential proxy network using fake 7-Zip installers.
- More than 230 lookalike domains were used in the campaign dating back to August 2022.
- Infected devices were turned into proxy nodes without user knowledge.
- The operation was uncovered by DNS threat intelligence firm Infoblox.
- Organizations should verify software sources and monitor for unusual network activity.
A newly identified cyber threat group called Lurking Lizard has been operating a large-scale residential proxy network by distributing malware through counterfeit software installers. The attackers leveraged over 230 deceptive domains mimicking legitimate services to trick users into installing malicious payloads disguised as popular tools like 7-Zip.
According to research from DNS threat intelligence provider Infoblox, this activity has been ongoing since at least August 2022. Once installed, these fake applications covertly transformed victim devices into proxy nodes, enabling the attackers to route traffic through unsuspecting endpoints. This method allows malicious actors to obscure their true origin and evade detection while conducting various online activities.
Attack Vector and Infrastructure
- Lurking Lizard created more than 230 domains designed to mimic trusted software distributors.
- The primary lure was a fake 7-Zip installer that appeared legitimate to end users.
- Domains were used to host malware that silently converted devices into residential proxy nodes.
- Traffic routed through these proxies could be used for anonymizing malicious operations.
Detection and Mitigation
- Infoblox detected the campaign through DNS-based threat intelligence monitoring.
- Organizations should implement application whitelisting to prevent unauthorized software installs.
- Network monitoring can help detect anomalous outbound connections indicative of proxy behavior.
- Users should only download software directly from official vendor websites or verified package managers.
- Security teams should review DNS logs for connections to suspicious or recently registered domains.
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.