Press ReleaseCyber Crime & Forensic

How Fake 7-Zip Software Exposed a Much Bigger Criminal Proxy Business

Infoblox research suggests bogus downloads, lookalike brands, and fake reviews are helping build global supply chains for criminal internet traffic.

Residential proxies are one of cybersecurity’s hottest topics, but many are not residential at all. Infoblox Threat Intel researchers traced what initially appeared to be an isolated malware campaign to a broader operation dating back several years. The actor, tracked as Lurking Lizard, is linked to more than 230 domains used to infect victim devices, operate proxy infrastructure, impersonate known proxy providers, and market related services.

Lurking Lizard appears to be a Chinese actor who affiliates with other proxy providers to resell access to bandwidth from compromised residential proxies. External researchers previously identified overlap between infrastructure connected to Lurking Lizard and IPIDEA, a major proxy provider that was disrupted earlier this year by a coordinated industry and law enforcement action. While there have been multiple disruptions of proxy providers this year, the ability for threat actors like Lurking Lizard to continue operating the botnet devices demonstrates how hard it remains to dismantle the malicious residential proxy market.

The operation is vertically integrated, controlling several stages of acquisition, promotion, and monetisation. It builds new proxy nodes by distributing malware through lookalike domains tied to major software brands, then boosts those lures through search poisoning and online ads. One such campaign, impersonating 7-Zip, drew attention earlier this year, but this was only one visible piece of a much larger system. Infoblox Threat Intel also found that the actor sold access through lookalike domains posing as other commercial proxy services. By connecting those domains, the researchers were able to map the wider scope of the activity.

“What matters here is not one fake installer, but the business model behind it,” said Dr Renée Burton, VP of Infoblox Threat Intel. “When criminal services can scale by borrowing trust from consumer software, app stores, and review sites, the risk moves beyond the security team. It becomes an operations, fraud, and brand issue for every company online.”

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *