A sophisticated cybercriminal operation that converts home computers into residential proxy nodes has been uncovered, revealing a mature criminal business model built on social engineering rather than technical exploits. The threat actor, dubbed Lurking Lizard, leverages over 230 lookalike domains to distribute malicious installers masquerading as the popular open-source archiver 7-Zip, according to findings published by DNS threat intelligence firm Infoblox on July 8.
The campaign has been active since at least August 2022, demonstrating a persistent and well-resourced effort. Attackers create convincing replicas of the legitimate 7-Zip website, tricking users into downloading poisoned software. Once installed, the malware silently enlists the compromised device into a vast proxy network. The value of this network lies in the nature of the proxies themselves: residential IP addresses, which belong to home internet connections and are less likely to be flagged by security systems compared to datacenter IPs.
This residential proxy botnet is then sold as a service to other cybercriminals, providing them with "clean" IP addresses to bypass security controls, conduct credential-stuffing attacks, perform large-scale web scraping, or evade geo-restrictions. Infoblox's research frames this as a lucrative, layered ecosystem where the initial malware infection serves as a foundation for further diversified cyber threats.
The scale of the infrastructure—over 230 known distribution domains—indicates a significant operation that has evolved over years. For IT teams and users, this incident underscores the critical need for strict software sourcing policies. Utilities must be downloaded exclusively from official, verified sources, with digital signatures validated to ensure integrity. The use of a trusted open-source tool as a lure highlights that social engineering remains a high-impact threat, necessitating augmented user education on identifying legitimate download channels.
While the legitimate 7-Zip project's stance on such campaigns remains unclear, the attack raises questions about how open-source maintainers can effectively warn or protect users from widespread impersonation. Furthermore, emerging technical methods to detect and mitigate malicious clients that turn devices into residential proxies are areas of ongoing concern. As cybercriminals continue to exploit trust in established software, vigilance and proactive controls are essential for defense.
一個精密的網絡犯罪操作被揭發,將家用電腦轉化為住宅代理節點,揭示了一個建基於社會工程而非技術漏洞的成熟犯罪商業模式。根據DNS威脅情報公司Infoblox於7月8日發布的研究報告,被稱為「潛伏蜥蜴」的威脅行為者利用超過230個仿冒域名,分發偽裝為流行開源壓縮工具7-Zip的惡意安裝程式。
該活動至少自2022年8月起持續運作,顯示出持久且資源充裕的攻擊力度。攻擊者製作逼真的7-Zip官網副本,誘騙用戶下載遭投毒的軟件。一旦安裝,惡意軟件便會靜默將受感染設備納入龐大的代理網絡。此網絡的價值在於代理本身的特性:住宅IP地址來自家用網絡連接,相比數據中心IP地址,較不易被安全系統標記。
這個住宅代理殭屍網絡隨後以服務形式出售予其他網絡犯罪分子,為其提供「乾淨」的IP地址以繞過安全控制、進行撞庫攻擊、執行大規模網絡爬蟲或規避地理限制。Infoblox的研究將此描述為一個利潤豐厚的層級化生態系統,最初的惡意軟件感染成為進一步多元化網絡威脅的基礎。
基礎設施的規模——超過230個已知分發域名——表明這是一個歷經數年演進的重大操作。對IT團隊和用戶而言,此事件突顯了嚴格軟件來源政策的關鍵必要性。實用工具必須僅從官方驗證來源下載,並驗證數字簽名以確保完整性。使用受信任的開源工具作為誘餌,突顯了社會工程仍然是高影響力威脅,需要加強用戶教育以識別合法下載渠道。
雖然合法的7-Zip項目對此類活動的立場尚不明確,但此攻擊引發了關於開源維護者如何有效警告或保護用戶免受大規模冒充的質疑。此外,檢測和緩解將設備轉化為住宅代理的惡意客戶端的新興技術方法,是持續關注的領域。隨著網絡犯罪分子繼續利用對既有軟件的信任,保持警覺和主動控制對防禦至關重要。
