Fake 7-Zip Downloads Are Quietly Turning Home PCs Into Criminal Middlemen

A group Infoblox calls Lurking Lizard has been running a rogue proxy service from 230+ lookalike sites since 2022, hiding the malware inside fake copies of the popular 7-Zip file compression tool.

ThreatVectr Newsdesk· 3 min read
Full frame overhead photoreal editorial shot of a modern home desk with an open laptop showing a generic software installer progress bar, a coffee mug, a notebo
Share

Key points

  • Infoblox has named a new criminal operation Lurking Lizard, active since at least August 2022.
  • The group runs more than 230 lookalike websites that imitate legitimate software download pages.
  • A recent campaign hid the malware inside fake installers for 7-Zip, the free file compression program.
  • Infected home and office computers are silently rented out as "residential proxies", meaning internet middlemen that let criminals borrow ordinary people's connections.
  • The operation is end to end: the same group builds the malware, infects the victims, and sells access to the resulting network.

A newly named criminal crew has spent more than three years quietly turning ordinary people's computers into hired muscle for other cybercriminals.

The group, which DNS security firm Infoblox is calling Lurking Lizard, has been active since at least August 2022. Infoblox tracks the domain names criminals use, and it says this crew has stood up over 230 lookalike sites designed to trick people searching for popular free software.

One recent campaign, first reported by The Hacker News, pushed a fake version of 7-Zip. 7-Zip is a free tool most people use to open compressed ".zip" style files. It is downloaded millions of times a month, which makes it perfect bait.

What actually happens when someone installs the fake 7-Zip?

The victim gets a working copy of 7-Zip, so nothing looks wrong. Quietly, in the background, the installer also drops software that turns the machine into a residential proxy node.

A residential proxy is a middleman connection. Instead of a criminal's traffic coming from a suspicious data centre in another country, it comes out of a normal home broadband line in, say, Ohio or Manchester. Websites and banks treat it as a regular customer. That is exactly why criminals pay for it.

The rented-out connection can then be used for credential stuffing (trying stolen passwords against banking sites), ad fraud, scraping, or masking the origin of further attacks. The person who owns the infected computer sees none of it, apart from maybe a slower connection and a higher electricity bill.

Why Lurking Lizard is different

Plenty of malware families sell access to infected machines. What sets this crew apart, according to Infoblox, is that they run the whole pipeline themselves. They register the lookalike domains. They build the fake installers. They operate the malware. And they sell access to the resulting proxy network directly to customers.

That vertical setup is unusual. Most proxy botnets involve at least two or three separate criminal businesses stitched together. One outfit doing all of it means faster iteration and fewer middlemen taking a cut.

Infoblox has not, at the time of writing, published a full list of the 230+ domains, and no CVE is involved here (this is social engineering plus malware, not a software flaw). The company's writeup is the primary source for the naming and timeline.

What should ordinary users do?

Stick to the official 7-Zip site, which is 7-zip.org, for that specific tool. More broadly, be very careful with the top results on a search engine when you look for free software. Criminals routinely buy ads that sit above the real download link.

A few practical signs something is off after an install: your computer's fan runs constantly when you are doing nothing, your internet feels slower than it should, or your bank flags logins from places you have never been. Any of those is worth a proper malware scan.

For IT teams, block newly registered lookalike domains at the DNS layer, and treat outbound connections from user machines to unknown proxy ports as suspicious by default. If a finance workstation is suddenly opening thousands of short-lived connections to random residential IPs, something is wrong.

The Lurking Lizard operation is a reminder that you do not need a zero-day (an unknown software flaw) to build a serious criminal business. A convincing fake download page and a patient three-year runway will do it.

© 2026 Threat Vectr