News

How Fake 7-Zip Software Exposed a Much Bigger Criminal Proxy Business

Published

on

Residential proxies are one of cybersecurity’s hottest topics, but many are not residential at all. Infoblox Threat Intel researchers traced what initially appeared to be an isolated malware campaign to a broader operation dating back several years.

The actor, tracked as Lurking Lizard, is linked to more than 230 domains used to infect victim devices, operate proxy infrastructure, impersonate known proxy providers and market related services.

Lurking Lizard appears to be a Chinese actor who affiliates with other proxy providers to resell access to bandwidth from compromised residential proxies. External researchers previously identified overlap between infrastructure connected to Lurking Lizard and IPIDEA, a major proxy provider that was disrupted earlier this year by a coordinated industry and law enforcement action.

While there have been multiple disruptions of proxy providers this year, the ability for threat actors like Lurking Lizard to continue operating the botnet devices demonstrates how hard it remains to dismantle the malicious residential proxy market.

The operation is vertically integrated, controlling several stages of acquisition, promotion and monetization. It builds new proxy nodes by distributing malware through lookalike domains tied to major software brands, then boosts those lures through search poisoning and online ads.

One such campaign, impersonating 7-Zip, drew attention earlier this year, but this was only one visible piece of a much larger system.

Infoblox Threat Intel also found that the actor sold access through lookalike domains posing as other commercial proxy services. By connecting those domains, the researchers were able to map the wider scope of the activity.

“What matters here is not one fake installer, but the business model behind it,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “When criminal services can scale by borrowing trust from consumer software, app stores and review sites, the risk moves beyond the security team. It becomes an operations, fraud and brand issue for every company online.”

You can read the full research here.

Trending

Exit mobile version