Fake 7-Zip Installer Campaign Exposes Lurking Lizard’s Massive Residential Proxy Empire – How a Single Typosquat Domain Powers a Multi-Million Dollar Cybercriminal Supply Chain + Video

Listen to this Post

Featured Image

Introduction:

A seemingly innocuous search for the popular 7-Zip file archiver led unsuspecting users down a rabbit hole of cybercriminal enterprise. In early 2026, security researchers uncovered a threat actor dubbed “Lurking Lizard” operating an end-to-end malicious residential proxy business, using a fake 7-Zip installer as the entry point to a sprawling operation involving over 230 lookalike domains. What began as a single malware campaign quickly unraveled into a vertically integrated criminal supply chain that recruits everyday devices—from home PCs to smartphones—as proxy nodes, harvesting and selling their bandwidth to the highest bidder.

Learning Objectives:

  • Understand the mechanics of drop-catch domain abuse and how typosquatting enables large-scale malware distribution.
  • Identify the technical indicators of compromise (IOCs) and persistence mechanisms used by Lurking Lizard across Windows, Android, and macOS platforms.
  • Learn to detect, analyze, and mitigate residential proxyware infections using system commands, network analysis, and endpoint defenses.

You Should Know:

  1. The Drop-Catch Domain Strategy – Inheriting Trust Through Typosquatting

Lurking Lizard’s primary infection vector relies on a technique called “drop-catching”—acquiring expired domains to inherit their established search engine reputation and organic traffic. The campaign’s crown jewel was the domain 7zip[.]com, a typosquat of the legitimate 7-zip[.]org. Due to frequent user typos in forums and search queries, this domain had accumulated years of perceived legitimacy. Victims searching for the compression tool were redirected to this counterfeit site, where they downloaded a trojanized installer that silently enrolled their machines into a residential proxy network.

Step‑by‑step guide to detecting typosquat domains and verifying software authenticity:

  • Check Domain Authenticity: Always verify the official domain of software vendors. For 7-Zip, the legitimate domain is 7-zip.org, not `7zip.com` or other variations. Use `whois` to check domain registration dates—recently registered or expired-and-reregistered domains are red flags.
 Linux - Check domain WHOIS information
whois 7-zip.org
whois 7zip.com
 Windows - Check domain WHOIS using PowerShell
Resolve-DnsName 7-zip.org
Resolve-DnsName 7zip.com
  • Verify File Hashes: Always compare downloaded installer hashes against official sources. Legitimate 7-Zip installers have published SHA-256 checksums on the official website.
 Linux - Generate SHA-256 hash
sha256sum 7z2408-x64.exe
 Windows - Generate SHA-256 hash using PowerShell
Get-FileHash -Path .\7z2408-x64.exe -Algorithm SHA256
  • Inspect SSL Certificates: Check the certificate details of the download site. Legitimate sites use valid, properly issued certificates.
 Linux - Check SSL certificate details
openssl s_client -connect 7zip.com:443 -showcerts
  1. Technical Deep Dive – Proxyware Payload Analysis and Persistence Mechanisms

The trojanized 7-Zip installer delivered proxyware that transformed victim machines into residential proxy nodes. The malware’s architecture evolved over time, with later iterations manifesting as a seemingly legitimate VPN application called WireVPN, which amassed over one million downloads on Google Play. On Windows systems, the payload installed executables named `wire.exe` and `upwire.exe` in C:\Windows\SysWOW64\wire, created firewall exceptions using netsh, established persistence via Windows registry modifications, and performed system profiling with anti-debugging checks. These techniques closely mirrored earlier versions that used `hero.exe` and uphero.exe.

Step‑by‑step guide to detecting and removing proxyware on Windows systems:

  • Check for Suspicious Processes and Services: Look for unfamiliar executables running from system directories.
 Windows - List all running processes with full path details
Get-Process | Select-Object Name, Path

Check for specific proxyware executables
Get-Process -1ame wire, upwire, hero, uphero -ErrorAction SilentlyContinue
  • Examine Firewall Rules: The malware creates firewall exceptions to allow outbound proxy traffic.
 Windows - List all firewall rules
netsh advfirewall firewall show rule name=all

Look for suspicious inbound/outbound rules
netsh advfirewall firewall show rule name=all | findstr /i "wire vpn proxy"
  • Check Registry Persistence: Proxyware often adds startup entries to maintain persistence.
 Windows - Check common autorun registry keys
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"

Search for wire or hero related entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s | findstr /i "wire hero"
  • Network Connection Analysis: Identify outbound connections to command-and-control or proxy infrastructure.
 Windows - Display active network connections with process IDs
netstat -ano | findstr ESTABLISHED

Map PIDs to process names
Get-1etTCPConnection | Where-Object {$<em>.State -eq "Established"} | 
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, 
@{Name="Process";Expression={(Get-Process -Id $</em>.OwningProcess).ProcessName}}

3. The IPLogger Artifact – Unifying the Campaigns

A critical breakthrough in linking disparate campaigns came from a hardcoded IPLogger URL (iplogger[.]com/mnWD) embedded within multiple malware samples. This unique artifact served as a silent beacon, tracking victim metadata and acting as a digital fingerprint connecting the fake 7-Zip installer to older malware posing as TikTok and YouTube downloaders, earlier VPN-themed campaigns, and the current WireVPN infrastructure. The consistency of directory structures, API schemas, and backend infrastructure across these domains provided definitive confirmation of a single operator.

Step‑by‑step guide to analyzing network traffic for beaconing and C2 communication:

  • Capture and Analyze Network Traffic: Use Wireshark or tcpdump to monitor outbound traffic for suspicious beaconing.
 Linux - Capture HTTP/HTTPS traffic to IPLogger domains
sudo tcpdump -i eth0 -1n 'host iplogger.com or host iplogger.org' -v

Capture all traffic to a specific IP range (example)
sudo tcpdump -i eth0 -1n 'net 192.168.0.0/16 and port 443' -w capture.pcap
  • DNS Query Monitoring: Proxyware often performs DNS lookups for its C2 infrastructure.
 Linux - Monitor real-time DNS queries
sudo tcpdump -i eth0 -1n 'udp port 53' -v

Check DNS cache for suspicious domains
sudo systemd-resolve --statistics
  • Use Windows Built-in Tools for Connection Tracking:
 Windows - Log all new connections over time (run as admin)
netsh trace start capture=yes tracefile=C:\temp\network.etl

Stop the trace
netsh trace stop

View connections with process details
Get-1etUDPEndpoint | Select-Object LocalAddress, LocalPort, 
@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
  1. The Vertically Integrated Proxy Market – From Infection to Monetization

Lurking Lizard’s operation is not merely a malware campaign; it is a fully vertically integrated business. The actor controls every stage of the proxy lifecycle: acquiring victim devices through fake installers, harvesting IP addresses, and directly marketing proxy access to buyers through lookalike domains impersonating legitimate providers like IPIDEA, SmartProxy, IP Royal, and 911Proxy. To drive traffic to these fake storefronts, the actor operates independent-looking proxy review websites, creating a self-contained supply chain. WHOIS analysis and infrastructure fingerprinting point to a China-based actor, with registrations linked to the alias “Cheng Li” from Wuhan.

Step‑by‑step guide to identifying fake proxy service domains and infrastructure:

  • DNS and WHOIS Correlation: Use threat intelligence tools to correlate domain registrations.
 Linux - Perform bulk WHOIS lookups
for domain in smartproxy.org ipidea.org iproyal.com; do
whois $domain | grep -E "Registrant|Creation|Name Server|Org"
echo ""
done

Check DNS records for infrastructure overlap
dig smartproxy.org NS
dig ipidea.org NS
  • SSL Certificate Fingerprinting: Threat actors often reuse SSL certificates across domains.
 Linux - Extract SSL certificate serial numbers
echo | openssl s_client -servername smartproxy.org -connect smartproxy.org:443 2>/dev/null | 
openssl x509 -1oout -serial -subject -issuer

Compare with other domains
echo | openssl s_client -servername ipidea.org -connect ipidea.org:443 2>/dev/null | 
openssl x509 -1oout -serial
  • IP Address Correlation: Use passive DNS and IP reputation services.
 Linux - Query IP reputation (example with VirusTotal API)
curl -s "https://www.virustotal.com/api/v3/ip_addresses/8.8.8.8" \
-H "x-apikey: YOUR_API_KEY"
  1. Cross-Platform Expansion – WireVPN and Mobile Threat Vectors

Lurking Lizard’s evolution into the WireVPN brand represents a significant expansion of the threat surface. Desktop versions of WireVPN share identical underlying structures and persistence mechanisms with the older 7-Zip payloads. However, the mobile applications dramatically increased the actor’s reach—the Android app, published under WIRE LTD, has over one million downloads and 34,000+ reviews on Google Play. The iOS app is published under the same developer, WEILAI NETWORK TECHNOLOGY CO., LIMITED, and the Windows samples are signed with a valid code-signing certificate issued to this U.K.-based firm.

Step‑by‑step guide to mobile and cross-platform threat detection:

  • Android – Check Installed Apps for Suspicious Permissions:
 Using ADB (Android Debug Bridge)
adb shell pm list packages | grep -i wire

Check app permissions
adb shell dumpsys package com.wirevpn.freevpn | grep -A 10 "Permissions:"
  • iOS – Review App Store Developer Information: Always verify the developer name and history before downloading VPN or utility apps. Check for recent developer account creation or name changes.

  • macOS – Check for Suspicious Launch Agents and Daemons:

 macOS - List all launch agents and daemons
ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

Check for wire or hero related plist files
find ~/Library -1ame "wire.plist" -o -1ame "hero.plist" 2>/dev/null

Monitor network connections
sudo lsof -i -P | grep -E "wire|hero"
  1. Defense and Mitigation Strategies – Building Resilient Endpoints

The Lurking Lizard campaign underscores the importance of defense-in-depth strategies. Organizations and individuals must adopt a multi-layered approach to prevent, detect, and respond to proxyware infections. Key recommendations include downloading software only from official sources, carefully verifying domains before installing VPNs or utilities, and maintaining updated endpoint protection with behavioral detection capabilities.

Step‑by‑step guide to hardening endpoints against proxyware:

  • Implement Application Whitelisting: Restrict execution to approved applications only.
 Windows - Configure AppLocker via PowerShell
 Create a default rule to allow all users to run Windows binaries
$Rule = New-AppLockerPolicy -RuleType Exe -User Everyone -Action Allow
Set-AppLockerPolicy -Policy $Rule -Merge

Audit mode first
Set-AppLockerPolicy -Policy $Rule -Merge -Audit
  • Enable Windows Defender Advanced Threat Protection (ATP) and Cloud-Delivered Protection:
 Windows - Check and enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -SubmitSamplesConsent 2  Always send samples
Set-MpPreference -CloudBlockLevel High
  • Linux – Use AppArmor or SELinux to Restrict Process Capabilities:
 Ubuntu - Enable AppArmor
sudo aa-enforce /etc/apparmor.d/
sudo aa-status

Create a custom profile for suspicious binaries
sudo aa-genprof /path/to/suspicious-binary
  • Network Segmentation and Egress Filtering: Restrict outbound traffic to only necessary destinations.
 Linux - Block outbound traffic to known malicious IPs using iptables
sudo iptables -A OUTPUT -d 192.168.1.100 -j DROP  Example malicious IP

Save rules
sudo iptables-save > /etc/iptables/rules.v4

What Undercode Say:

  • The Threat is the Business Model, Not Just the Malware: Lurking Lizard’s operation reveals that the real danger lies in the vertically integrated proxy economy. The actor doesn’t just infect devices; they control the entire supply chain—from acquisition through fake installers to monetization via lookalike proxy storefronts. This business model allows rapid scaling and makes dismantling the operation exceptionally difficult.

  • Trust is the New Attack Vector: The campaign’s success hinges on abusing trust—inherited domain reputation from expired domains, typosquatting on popular software, fake review sites, and even valid code-signing certificates. This highlights a fundamental shift in cyber threats: attackers no longer rely solely on technical exploits but on manipulating human trust and platform assumptions.

  • Residential Proxies Fuel the Cybercrime Economy: The demand for residential IP addresses—prized for their legitimacy in evading fraud detection—drives this underground market. Until the economic incentives for purchasing residential proxy access are addressed through regulation and industry cooperation, threat actors like Lurking Lizard will continue to thrive, regardless of individual campaign takedowns.

  • Cross-Platform Expansion Signals a New Era: The move from Windows-only proxyware to Android, iOS, and macOS—with over one million mobile downloads—demonstrates that mobile devices are now prime targets. The lines between legitimate VPN apps and proxyware are blurring, making user vigilance and platform vetting more critical than ever.

  • Detection Requires Correlation, Not Isolation: The IPLogger artifact was the key that connected disparate campaigns spanning nearly four years. This underscores the importance of threat intelligence sharing and correlation across seemingly unrelated indicators. Isolated detection of a single malicious installer is insufficient; security teams must think in terms of infrastructure and behavioral patterns.

Prediction:

  • -1 The residential proxy market will continue to grow despite law enforcement disruptions. The takedown of IPIDEA earlier this year and similar actions have proven insufficient to dismantle the underlying infrastructure. As long as there is demand for residential IPs from fraudsters, scrapers, and malicious actors, threat actors like Lurking Lizard will find ways to supply them.

  • -1 Mobile app stores face a credibility crisis. With WireVPN amassing over one million downloads on Google Play, the line between legitimate applications and proxyware has become dangerously thin. We predict an increase in similar campaigns targeting app stores, forcing platform providers to implement more rigorous vetting processes that may inadvertently stifle legitimate developers.

  • +1 DNS-level threat intelligence will become the frontline defense. Infoblox’s research demonstrates that DNS analysis—through domain registration patterns, WHOIS correlation, and passive DNS—is uniquely effective at uncovering large-scale infrastructure. We predict increased adoption of DNS-based detection and response solutions as organizations seek to identify threats before they reach endpoints.

  • -1 AI-powered social engineering will amplify typosquatting attacks. As threat actors leverage generative AI to create more convincing fake review sites, tutorial content, and lookalike domains, the barrier to entry for these campaigns will lower further. This will lead to a proliferation of proxyware campaigns across more software brands and platforms.

  • +1 Regulatory scrutiny on proxy providers will intensify. The revelation that legitimate-looking proxy services may be reselling bandwidth from compromised devices will likely trigger regulatory investigations and potential legal frameworks governing the residential proxy industry, similar to the crackdown on data brokers. This could ultimately reduce the supply of malicious proxies and force the market toward greater transparency.

▶️ Related Video (60% Match):

https://www.youtube.com/watch?v=0GbxMrUBq9A

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Fake – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky