Infoblox Uncovers Long-Running Fake Software and VPN Campaign That Turns Victims’ Devices Into Proxy Nodes
- Infoblox report: Researchers linked a long-running campaign using fake installers and VPNs to build residential proxy networks.
- Operation uncovered: Over 230 lookalike domains supported malware distribution, fake reviews, and impersonated proxy services since 2022.
- User impact: Downloading software from unofficial websites may unknowingly turn devices into proxy nodes for third-party traffic.
Security researchers at Infoblox have uncovered a large cybercriminal operation that has been using fake software downloads, counterfeit VPN services, and fraudulent review websites to recruit victims into a residential proxy network. The findings, published on July 7, 2026, show that the campaign has been active since at least August 2022 and continues to evolve.
According to Infoblox, the threat actor, tracked as Lurking Lizard, runs what researchers describe as an end-to-end malicious proxy business. Instead of operating a single malware campaign, the group controls multiple stages of the operation, from attracting victims through fake websites to selling access to compromised internet connections.
Fake Installers and Lookalike Websites Power the Campaign
The investigation began with a fake version of the popular 7-Zip file archiving tool that appeared in early 2026. Victims who downloaded the installer from 7zip[.]com instead of the legitimate 7-zip[.]org unknowingly installed software that enrolled their devices into a residential proxy network.
A residential proxy uses internet connections from ordinary devices to route online traffic. While legitimate services exist, criminal operators can abuse compromised devices by renting out their internet bandwidth without the owner's knowledge.
Infoblox's analysis found that the fake 7-Zip installer was only one part of a much broader operation. Researchers linked it to campaigns dating back to at least 2022 through shared infrastructure, domain registrations, malware samples, and a hardcoded IPLogger tracking URL embedded in multiple payloads.
The researchers identified more than 230 domains connected to the activity. Many impersonate well-known software, VPN services, proxy providers, and other online services. These include fake versions of popular proxy brands, generic software download sites, VPN-themed domains, and even proxy review websites that appear designed to promote the operator's own services.
Infoblox also found evidence suggesting the actor likely operates from China based on domain registration information, shared infrastructure, and other technical indicators.
WireVPN Appears to Be the Latest Stage of the Operation
The report states that the campaign has shifted from fake 7-Zip installers to software branded as WireVPN.
Researchers observed that recent Windows samples use nearly identical code, installation methods, persistence mechanisms, and network behavior as the earlier malware, indicating the same operation is behind both campaigns.
During testing, Infoblox found that the Windows client did not behave like a conventional VPN application. Instead of establishing a single encrypted connection to a VPN server, the software communicated with multiple domains associated with the actor and appeared to function more like an exit node for third-party traffic. This behavior suggests affected computers may become part of a distributed proxy network rather than simply providing VPN services.
The researchers analyzed only the Windows version of WireVPN. They did not examine the Android or iOS applications and therefore could not determine whether the mobile apps share the same functionality or primarily direct users toward desktop installations.
Public app store listings indicate that the Android version has recorded more than one million downloads and over 34,000 reviews. Infoblox noted that it could not independently verify those figures or determine how many users are actively using the application.
Why This Matters
Infoblox's findings are based on its own threat intelligence investigation, which connected multiple campaigns through shared malware, infrastructure, APIs, DNS records, hosting patterns, and domain registration data.
For VPN and privacy users, the research highlights the risks of downloading software from unofficial sources or lookalike websites that imitate legitimate services. Malware delivered through these installers can appear to function normally while quietly turning a device into part of a residential proxy network, allowing third parties to route internet traffic through the victim's internet connection.
The report also found that the operation relies on fake review websites and counterfeit service pages to build credibility and attract more victims.
Infoblox did not issue any specific remediation guidance in this report. However, the findings reinforce the importance of downloading software only from official websites and verifying domain names before installing applications.
I think this version reads a bit more naturally and avoids the formulaic "What This Means for..." heading that many tech publications now use.






