Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes
A threat actor dubbed "Lurging Lizard" operates an end-to-end malicious residential proxy business, using over 230 lookalike domains and trojanized software installers to recruit devices. The campaign targets multiple platforms (Windows, macOS, Android) by distributing fake versions of popular tools like 7-Zip, WhatsApp, and WireVPN, often leveraging expired domain history for legitimacy. The operation includes a sophisticated monetization strategy involving impersonation of legitimate proxy pro
Analysis
TL;DR
- A threat actor dubbed "Lurging Lizard" operates an end-to-end malicious residential proxy business, using over 230 lookalike domains and trojanized software installers to recruit devices.
- The campaign targets multiple platforms (Windows, macOS, Android) by distributing fake versions of popular tools like 7-Zip, WhatsApp, and WireVPN, often leveraging expired domain history for legitimacy.
- The operation includes a sophisticated monetization strategy involving impersonation of legitimate proxy providers (e.g., IPIDEA, SmartProxy) and fake review sites to drive traffic to scam storefronts.
- This activity highlights a growing trend where consumer IoT devices and personal computers are co-opted into large-scale botnets for unauthorized proxy services, posing significant risks to IP reputation and network security.
Why It Matters
This incident demonstrates the increasing sophistication of cybercriminal ecosystems that integrate malware distribution, brand impersonation, and affiliate marketing to create sustainable illicit businesses. For security professionals, it underscores the critical need to monitor not just traditional malware vectors but also the abuse of legitimate-looking software updates and domain expiration strategies. Furthermore, it reveals how residential proxy networks are becoming a primary infrastructure for broader cyberattacks, affecting the integrity of IP addresses used by everyday consumers.
Technical Details
- Distribution Vectors: The actor uses trojanized installers for well-known software (7-Zip, WhatsApp, WireVPN) hosted on lookalike domains (e.g., "7zip[.]com" vs. official "7-zip[.]org"). They also employ drop-catching techniques to acquire expired domains with established trust histories.
- Infrastructure Scale: The operation utilizes more than 230 lookalike domains and has been linked to datasets containing millions of unique IP addresses, indicating a massive pool of compromised devices acting as proxy nodes.
- Cross-Platform Targeting: The campaign spans Windows, macOS, and Android. Notably, an Android app named "wirevpn - Fast Unlimited Proxy" claimed over 1 million downloads, suggesting a multi-pronged acquisition strategy beyond desktop malware.
- Monetization Ecosystem: The actor impersonates major proxy providers (IPIDEA, SmartProxy, IP Royal) and creates fake independent review sites to funnel traffic to their own storefronts, effectively reselling access to the botnet.
- Link Analysis: Embedded URLs such as "iplogger[.]com/mnWD" were found across various samples, linking different fake installers (7-Zip, TikTok/YouTube downloaders, WireVPN) to the same underlying infrastructure.
Industry Insight
- Supply Chain and Software Integrity: Organizations must enforce strict controls on software installation sources, particularly for common utilities like archivers and VPNs. Users should verify digital signatures and domain authenticity rigorously.
- Reputation Management for ISPs and Enterprises: As residential IPs are increasingly used for malicious activities, legitimate users risk having their IPs blacklisted. ISPs and cloud providers need enhanced monitoring to detect and mitigate traffic originating from compromised residential devices.
- Regulatory and Platform Accountability: The involvement of app stores and domain registrars in facilitating this ecosystem suggests a need for stricter vetting processes for apps claiming to be proxies or utilities, and better enforcement against domain squatting and impersonation.
Disclaimer: The above content is generated by AI and is for reference only.