Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Summary: Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the

Cybercriminals continue to exploit the popularity of trusted software by disguising malware as legitimate applications, and one of the latest campaigns demonstrates how effective this strategy remains. Security researchers have uncovered a widespread operation in which fake installers posing as the popular file archiver 7-Zip are being used to infect Windows systems with cryptocurrency mining malware, silently turning victims’ computers into assets for illicit crypto-mining operations.

The campaign relies on a simple but highly effective tactic: convincing users they are downloading a legitimate version of widely used software. By creating convincing websites and malicious installers that closely resemble the official 7-Zip installation process, attackers significantly increase the chances that users will execute the malware without suspicion.

Instead of installing only the expected compression utility, the fraudulent installer deploys additional malicious components that establish persistence on the compromised system and ultimately install cryptocurrency mining software. Once active, the miner consumes the victim’s CPU and, when available, GPU resources to generate cryptocurrency for the attackers while remaining largely invisible to the user.

Unlike ransomware, which immediately announces its presence, cryptocurrency miners are designed to remain hidden for as long as possible. Their goal is not to disrupt the victim but to continuously exploit computing resources over weeks or even months. Victims often notice only indirect symptoms, including unusually high processor usage, increased electricity consumption, reduced system responsiveness, excessive fan noise, and shortened battery life on laptops.

Researchers found that the attackers implemented multiple techniques to improve the malware’s longevity and reduce the likelihood of detection. The malicious installer creates persistence mechanisms that allow the miner to restart automatically after system reboots while using obfuscation methods to complicate analysis by security researchers and antivirus products.

The malware also attempts to optimize its mining activity based on the infected system. It can monitor available hardware resources and adjust its behavior to maximize cryptocurrency generation while attempting to avoid drawing attention through excessive resource consumption. Some variants even pause mining when resource-intensive applications are detected, allowing users to continue working without immediately suspecting an infection.

This type of malware has become increasingly attractive to cybercriminals because it generates continuous revenue without requiring direct interaction with victims. Every compromised device contributes computing power to mining pools, and a sufficiently large botnet of infected computers can produce significant profits over time. The more systems attackers infect, the greater their collective mining capacity becomes.

The use of fake software installers also reflects a broader trend in cybercrime. Rather than exploiting complex technical vulnerabilities, many threat actors focus on abusing user trust. Well-known applications such as browsers, media players, productivity tools, remote administration software, and compression utilities are frequently impersonated because users expect to download and install them regularly.

Software downloaded from unofficial websites presents a particularly high risk. Attackers often invest considerable effort into making fraudulent websites appear authentic by copying branding, documentation, download pages, and user interface elements from legitimate vendors. Search engine optimization techniques, malicious advertisements, and typo-squatted domains further increase the likelihood that victims will encounter fake download portals.

For organizations, these attacks highlight the importance of controlling software installation practices. Allowing employees to download applications directly from arbitrary websites significantly increases the risk of malware infections. Many enterprises reduce this exposure by using centralized software repositories, application allowlisting, endpoint detection and response (EDR) solutions, and strict software approval processes.

Individual users can substantially reduce their risk by downloading software only from official vendor websites or trusted package repositories. Verifying digital signatures, checking file hashes when available, and avoiding sponsored search results or unknown download portals provide additional layers of protection against installer-based malware campaigns.

Modern endpoint security solutions are also becoming more effective at identifying suspicious installer behavior. Instead of relying solely on malware signatures, many products monitor behavioral indicators such as unexpected persistence mechanisms, unauthorized process creation, suspicious PowerShell execution, and attempts to download secondary payloads. These capabilities help detect threats even when attackers modify the malware to evade traditional signature-based detection.

The campaign serves as another reminder that trusted software brands remain valuable assets for cybercriminals seeking to distribute malware. By abusing the reputation of widely recognized applications like 7-Zip, attackers can bypass users’ natural skepticism and achieve successful infections without exploiting a single software vulnerability.

As malware distribution increasingly shifts toward social engineering and supply chain deception, organizations and individuals alike must recognize that the security of software begins long before installation. Verifying download sources, maintaining strong endpoint protections, and educating users about fake software distribution campaigns remain essential defenses against threats that continue to exploit trust rather than technical weaknesses.

Key facts

  • A threat actor named Lurking Lizard is operating a malicious residential proxy business
  • The campaign utilizes fake 7-Zip installers to infect devices
  • Infected devices are repurposed as residential proxy nodes
  • The infrastructure includes over 230 lookalike domains
  • The activity has been ongoing since at least August 2022

Why it matters

This incident highlights the persistent threat of supply chain attacks and software impersonation, where seemingly legitimate software downloads can compromise user devices and infrastructure. The scale of the operation, involving a significant number of domains and a long-running campaign, underscores the need for robust security measures and user vigilance to prevent devices from being enlisted into botnets for illicit activities.