Infoblox researchers identified a threat group called Lurking Lizard operating a residential proxy scheme that compromised thousands of devices through counterfeit 7-Zip installers. The campaign leveraged over 230 lookalike domains designed to trick users into downloading malicious software instead of the legitimate file compression utility.
Active since at least August 2022, Lurking Lizard distributed trojanized 7-Zip binaries via search engine poisoning and social engineering. When users installed the fake software, their machines became unwilling nodes in a residential proxy network. These compromised devices then routed traffic for the threat actor, allowing them to mask their true location and conduct click fraud, account takeovers, and other abuse.
Residential proxies command premium prices in cybercriminal markets because they appear to originate from legitimate home users rather than data centers. This makes detection and blocking significantly harder for defenders. Lurking Lizard monetized their botnet by selling proxy access to other threat actors and fraudsters.
The scale of the operation spans thousands of infected systems distributed globally. Infoblox identified the infrastructure through passive DNS analysis tracking the lookalike domains to shared malicious servers. The group registered domains mimicking legitimate 7-Zip repositories, often ranking them high in search results through SEO manipulation techniques.
Organizations and individuals face dual risks here. Enterprise networks risk compromised employee machines unknowingly forwarding company traffic through attacker-controlled proxies, creating data leakage and compliance violations. Individual users lose bandwidth, experience network slowdowns, and expose themselves to secondary malware infections.
Detection proves difficult because the malware uses legitimate tools for proxy functionality and can hide within standard applications. Standard antivirus solutions often miss the threat since it lacks traditional malware payload behaviors.
Security teams should implement application whitelisting, restrict unsigned executable execution, and validate file h
