Lurking Lizard: Residential Proxy Botnet With 230+ Domains Uses Trojanized 7-Zip Installer to Recruit Proxy Nodes

Lurking Lizard: Residential Proxy Botnet With 230+ Domains Uses Trojanized 7-Zip Installer to Recruit Proxy Nodes

TTP Advisory: Lurking Lizard | No CVE | Threat Type: Residential Proxy Botnet | Activity Since: August 2022 | Domains: 230+ lookalike domains | Discovered by: Infoblox DNS Threat Intelligence


What Happened

Infoblox has disclosed details of a threat actor dubbed Lurking Lizard operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains since at least August 2022. One campaign observed earlier this year involved the actor luring victims with a trojanized 7-Zip installer hosted on a domain named ‘7zip[.]com’. Compromised devices are covertly recruited as proxy nodes in a residential proxy network. Lurking Lizard also impersonates major proxy providers including IPIDEA, SmartProxy (now Decodo), IP Royal, and 911Proxy, and runs fake ‘independent’ review sites to drive traffic to its own scam storefronts. IPIDEA’s infrastructure was dismantled by Google in an operation earlier this January.


Infection Chain

  • Trojanized 7-Zip installer — hosted on lookalike domain 7zip[.]com
  • Fake review sites — drive traffic to scam proxy storefronts
  • Proxy recruitment — compromised devices become nodes in residential proxy network
  • Domain impersonation — mimics IPIDEA, SmartProxy, IP Royal, 911Proxy

Impact

Residential proxy networks allow cybercriminals to route traffic through legitimate home IP addresses, bypassing geographic restrictions, fraud detection, and IP reputation blocks. The network can be used for credential stuffing, account takeover, ad fraud, and anonymous access to restricted services. The operation has been active for nearly 4 years with 230+ domains.


Mitigation

  • Download software only from official sources: Always verify you are on the legitimate vendor domain (7-zip.org, not 7zip[.]com).
  • Monitor DNS traffic: Look for connections to lookalike domains mimicking known software vendors.
  • Implement domain blocklists: Block known Lurking Lizard domains.

Recommendations

  • User awareness: Warn employees about lookalike domains for popular software downloads.
  • DNS filtering: Deploy DNS filtering solutions that can detect and block lookalike domains.
  • Software distribution policy: Enforce approved software download sources in enterprise environments.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!