Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes

Pierluigi Paganini July 09, 2026

Fake apps like WireVPN and a trojanized 7-Zip turn victims’ devices into residential proxies, letting criminals route traffic through their IPs.

Infoblox’s threat research team started pulling on a single thread in early 2026: a fake version of the 7-Zip archive utility hosted at 7zip[.]com instead of the real site, 7-zip[.]org. The researchers uncovered a years-long operation they’re calling Lurking Lizard, a threat actor running every layer of a criminal residential proxy business, from infecting victim devices all the way through to selling access to them and writing fake reviews to drive more traffic to their own storefronts.

The concept of residential proxies is simple. A small piece of software on your device can route other people’s internet traffic through your connection, making it appear to originate from your IP address rather than theirs. Companies sell this capability. Lurking Lizard does the same thing, except the people whose devices are enrolled didn’t agree to it.

“In early 2026, the actor, who we track as Lurking Lizard, fooled users into downloading a fake version of the 7-Zip archive utility. Once installed, the device was enrolled as a proxy node to be rented to residential proxy services.” reads the report published by Infoblox. “The threat actor uses trojanized software to recruit victim machines as residential proxy nodes, providing just enough functionality to appear legitimate and keep users from uninstalling it.”

Infoblox mapped more than 230 domains back to this actor through the analysis of DNS and infrastructure. The portfolio covers every angle. Lookalike domains impersonate legitimate software like 7-Zip, popular VPNs, and services like HeroSMS. Other domains impersonate proxy services themselves, including IPIDEA, SmartProxy, IP Royal, and 911Proxy. Lurking Lizard also runs what appear to be independent proxy review websites, including proxyreviews[.]org, to drive traffic to its own storefronts. The review sites appear independent. They aren’t.

One example illustrates how convincing the impersonation is. The domain smartproxy[.]org presents itself as a budget proxy service offering access to 100 million residential IP addresses. It belongs to Lurking Lizard, not to the real Smartproxy company. Decodo, which owns the legitimate smartproxy[.]com, publicly called out the domain squatter. The fake was good enough to briefly fool Infoblox’s own researchers during the investigation.

The investigation’s most useful pivot came from a hardcoded URL inside the malware samples, pointing to IPLogger, a legitimate visitor-tracking service. The specific URL, hxxps://iplogger[.]com/mnWD, appeared across multiple distinct payloads spanning years: the fake 7-Zip installer, tools falsely claiming TikTok and YouTube download capabilities, and both early and recent variants of WireVPN-branded samples.

“Pivoting on this specific URL and the “/mnWD” identifier proved to be especially valuable.” continues the report. “The same infrastructure underpinned multiple payloads dating back to at least 2022: the fake 7-Zip installer, tools falsely claiming TikTok and YouTube download capabilities, and both early and recent WireVPN-branded samples.”

The actor used a legitimate third-party service as a telemetry beacon to avoid maintaining their own tracking infrastructure. Smart, in a criminal sort of way.

WHOIS registration data pointed toward China. A registrant name of “Cheng Li” linked the fake 7-Zip domain to the cluster of lookalike proxy service domains. Shuffled variants appeared across related registrations: Li Hao Cheng, Li Cheng Liang, Zhang Cheng Li. A phone number in the registration data carried a country code and area code placing the registrant in Wuhan, China, if the details are accurate.

The researchers pointed out that the fake 7-Zip campaign has evolved into WireVPN, a VPN service with its own website, Windows and macOS apps, and listings on the Apple App Store and Google Play. The Android app has been downloaded more than one million times and has over 34,000 reviews.

The Windows samples are signed with a valid code signing certificate issued to WEILAI NETWORK TECHNOLOGY CO., LIMITED, a UK-registered entity. The continuity between the old campaign and the new one is visible in the code: where the 7-Zip malware installed files named hero.exe and uphero.exe into C:\Windows\SysWOW64\hero, WireVPN installs wire.exe and upwire.exe into C:\Windows\SysWOW64\wire. Same structure, different name.

When Infoblox analyzed WireVPN’s network behavior, it didn’t look like a VPN. Shortly after launch, the client sent ping requests to a large number of globally distributed IP addresses, apparently to build a pool of available nodes. Rather than establishing a single stable tunnel to a fixed endpoint, which is what a VPN does, it maintained multiple concurrent connections across a broad set of hosts.

“Rather than forming a single stable tunnel to a fixed endpoint, as would be expected of a VPN application, it appears to make multiple concurrent connections across these hosts. As discussed earlier, these domains exhibit strong infrastructure linkage through DNS records, hosting patterns, and shared backend systems, supporting the assessment that they are all controlled by Lurking Lizard.” continues the report. “The traffic patterns do not match what a VPN client produces: WireVPN looks less like a privacy tool and more like an exit node for third-party traffic.”

In practical terms, other people’s traffic exits through the IP address of whoever installed the app.

How the money flows?

Ben Brundage of Synthient, a fraud intelligence firm, explained the supply chain to Infoblox: commercial proxy services scale their pools by buying bandwidth from resellers, and smaller actors like Lurking Lizard combine their own pool of compromised devices with upstream providers like IPIDEA or Kookeey to offer what they market as an unlimited residential proxy pool. The victim devices provide the raw material. The lookalike storefronts sell access to it. The fake review sites generate traffic to those storefronts.

“This approach allows them to offer a profitable “unlimited pool” and reduce potential downtime. The broader distribution chain of backdoored apps reveals the common structure that providers or publishers use to acquire large swaths of IP space from victims, in which consent is explicitly omitted.” Brundage said.

The 7-Zip campaign was visible because someone wrote about it. The operation behind it had been running since at least August 2022 and continues today under WireVPN branding, with more than a million app downloads and a portfolio of over 230 domains supporting every stage of the business. If you’ve installed WireVPN, or anything from a domain that isn’t exactly what you expected, your device may be doing work you didn’t sign up for.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)



you might also like

leave a comment