Cybersecurity researchers have uncovered a campaign by a new threat actor called Lurking Lizard, which uses fake 7-Zip installer downloads to compromise systems and repurpose them as residential proxy nodes. The operation, active since at least August 2022, relies on an infrastructure of more than 230 lookalike domains designed to deceive users into downloading the malicious software.

DNS intelligence firm Infoblox disclosed these findings, noting that the scheme runs an end-to-end residential proxy business. Infected devices become part of a proxy network that anonymous customers can rent, allowing their traffic to appear legitimate by routing through real home IP addresses. This technique helps evade security filters and geolocation blocks.

Technically, the attack vector mimics a legitimate installer, tricking victims into executing code that installs proxy software silently in the background. The threat actor maintains meticulous control over the malicious domains, which are frequently rotated to avoid detection. Indicators of compromise include unusual outbound network connections from devices that recently downloaded 7-Zip or similar archiving tools.

Users should avoid downloading software from unofficial sources and verify checksums or digital signatures of installers from trusted vendors. The firm recommends organizations monitor for anomalous network traffic and block known lookalike domains. No patch is available since this is a social engineering and supply-chain attack, not a software vulnerability.

Attribution to Lurking Lizard remains tentative, as the group's operational security practices obscure its geographic origin. The campaign underscores the evolving threat landscape where trusted software updates and tools are weaponized to build criminal proxy services, posing risks to both consumer privacy and enterprise security.