Introduction
Cybercriminals have been covertly transforming regular computers into proxy servers by disguising malware as a popular file compression tool, 7-Zip. This operation, which has been ongoing for several years, deceives users into installing malicious software under the guise of genuine software.
Users looking for the free 7-Zip tool are redirected to a counterfeit website, leading to the installation of hidden proxy software instead. This malware exploits victims’ internet connections, renting them out to paying clients without the users’ knowledge.
Uncovering the Cyber Scheme
The fraudulent campaign gained attention in early 2026 when the fake installation package was found on 7zip[.]com, a site that mimicked the legitimate 7-zip[.]org. This was not a one-off scam but rather part of a wider, long-term operation.
Security researchers traced these activities back to at least August 2022. They discovered a network of fake software brands, all orchestrated by a group identified as Lurking Lizard.
Infoblox, a security firm, reported that this group runs a comprehensive proxy business, from deceiving users into installing malware to reselling the hijacked bandwidth. The operation was linked through domain records, shared code, and hidden tracking elements within the malware.
Scale and Methodology of the Operation
Infoblox’s findings reveal over 230 domains associated with this actor, covering fake VPN apps, download tools, and proxy service websites. The evidence suggests the operation is based in China, as indicated by the domain registration details.
The group, undeterred by exposure, has rebranded and continued its operations under different names. Their technique, known as drop-catching, involves purchasing expired domains to exploit their existing search engine reputation.
Investigators identified several drop-catch domains linked to the group, some with registration dates going back as far as 2004. A significant clue was a hardcoded tracking link found in the malware, connecting this campaign to other unrelated scams.
The Evolution to WireVPN
The 7-Zip scam has evolved into a new guise, WireVPN, available on both Apple and Google app stores. Despite its claims, testing revealed that WireVPN behaves more like a conduit for external internet traffic than a protective VPN.
Infoblox advises users to avoid downloading software from unofficial sources and to verify domains before installation. They also recommend scrutinizing app publisher details, as Lurking Lizard’s apps bear legitimate-looking certificates.
Security teams are urged to monitor for specific file names and network behaviors indicative of this group to detect infections early. This incident underscores the importance of vigilance, as many users unknowingly contribute their bandwidth to malicious proxy networks.
Conclusion
This case highlights the persistent threat posed by cybercriminals exploiting software trust. Users should remain cautious and ensure software is sourced from reputable sites to mitigate the risk of falling victim to such scams.
