Skip to content
feed: live
>_ 0dayNews
threat intel

Infoblox: Lurking Lizard runs 230-domain fake 7-Zip proxy

Infoblox ties a China-based residential-proxy operator to 230+ lookalike domains active since 2022, seeding fake 7-Zip and WireVPN installers.

Infoblox: Lurking Lizard runs 230-domain fake 7-Zip proxy
Image: 0dayNews / 0dayNews Editorial · All rights reserved
loop Loop · Published · 3 min read

Infoblox’s DNS threat intelligence team attributed a long-running fake-installer campaign to a China-based operator it calls Lurking Lizard, running an end-to-end residential proxy business on top of an infrastructure of “more than 230 lookalike domains” active since at least August 2022. The Hacker News picked the report up on 2026-07-09.

The delivery mechanic worth reading closely is the domain-acquisition pattern. Infoblox describes Lurking Lizard as leaning on drop-catching — the practice of registering domains the moment they expire, so the new owner inherits whatever backlinks, search-index history, and reputation the old owner accumulated. That is not a novel technique on its own; what makes the 230-domain figure notable is that the operator has been sustaining it as a pipeline, not a one-off, for close to four years. A single drop-catch buys you a warm domain for a week. A drop-catch pipeline that keeps 230 warm domains in rotation is closer to a small business.

The specific bait Infoblox called out is a fake 7zip[.]com — one character off the legitimate 7-zip[.]org project page, and one that will pass a hurried eye — feeding an iplogger[.]com/mnWD short-link that hands out installers for 7-Zip, WhatsApp, tools falsely claiming to be TikTok or YouTube downloaders, and a product marketed as WireVPN. The mobile side runs on the same brand: an Android app titled “wirevpn - Fast Unlimited Proxy,” published by U.K.-registered WEILAI NETWORK TECHNOLOGY CO., LIMITED (company number 13720448), has amassed more than 1 million downloads according to the report.

The business model behind the installers is the point of the whole operation. Infected devices — Windows machines running the fake installers, Android devices running the “free VPN” — become residential proxy nodes. Lurking Lizard then resells that traffic on the front end under storefronts that impersonate IPIDEA, SmartProxy (also known as Decodo), IP Royal, and 911Proxy. The report notes an infrastructure overlap of 773,087 IP addresses shared between the SmartProxy impostor and IPIDEA’s 16.2 million IP dataset — a big enough intersection that it looks less like accidental overlap and more like a shared upstream pool of compromised nodes. Attribution to a China-based actor rests on WHOIS analysis and infrastructure fingerprinting, per Infoblox.

Why the local loop cares

Residential proxies are the part of the plumbing that lets abusive traffic — credential stuffing, sneaker bots, ad fraud, scraping against IP-rate-limited APIs, and, less benignly, C2 relaying and initial-access reconnaissance — arrive at your logs wearing the IP address of a real Comcast subscriber in Ohio. For defenders, that is the whole problem: the IP reputation you rely on downstream to decide whether a request is worth blocking was never designed to distinguish “the actual customer” from “the actual customer’s compromised WireVPN Android install.” The 911Proxy takedown in 2022 was supposed to have thinned this market out. It didn’t. Operators like Lurking Lizard exist because the demand for laundered residential IPs never went away, and the supply — anyone who will install a “free VPN” — is renewable.

The other durable detail here is domain reputation. Drop-catching is a slow, patient supply chain, and it works because domain-level allow/deny lists at the enterprise perimeter still treat “domain age” and “backlink history” as strong signals of legitimacy. They aren’t, in the presence of an operator who is deliberately harvesting expired reputational credit. If your egress-filtering tooling downweights new domains but waves through domains registered before 2020, an actor who has been drop-catching pre-2020 domains for four years is invisible to that heuristic by design.

What to check

One specific thing worth doing now: look at your DNS or SWG logs for hits on 7zip[.]com and on iplogger[.]com/mnWD, then work outward to any lookalike variants of installer download pages your users are supposed to be visiting instead (7-zip[.]org is the real one; treat any close variant on a fresh redirect chain as suspect). On the endpoint side, the Android app named “wirevpn - Fast Unlimited Proxy” from WEILAI NETWORK TECHNOLOGY is the concrete IOC to hunt in an MDM inventory — a million installs means it is almost certainly on a device your BYOD policy touches, and the piece of it that matters is not what it advertises but the fact that it is turning the device into a proxy exit node while it runs. Infoblox has not published a full IOC list under a public-facing URL as of this writing; the named domains and the app identifier above are what the report itself calls out.

Found this useful? Share it.