What Happened
Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the
Why It Matters
The reported campaign describes a threat actor, Lurking Lizard, running a large-scale malicious residential proxy business by distributing trojanized installers (e.g., fake 7-Zip from 7zip[.]com) and recruiting victim devices into a proxy botnet via over 230 lookalike domains.[1][6][8] These infected machines become exit nodes whose consumer IPs are resold for fraud, scraping, and other abuse while victims unknowingly host attacker traffic.[1][3][4] RealGround analysis: While the current activity targets end-user devices, similar residential proxy and drop-catch infrastructure can be used to evade IP-based defenses for AI-facing endpoints, abuse AI agents via anonymized automation, and support large-scale credential stuffing or scraping against AI SaaS platforms. Organizations should continuously red-team AI interfaces for abuse via proxy networks, harden AI supply chains (including installer distribution and domain integrity), and design secure AI agents that assume hostile, anonymized traffic and enforce strong authentication, rate limiting, and provenance checks.
RealGround Analysis
This signal maps to malicious AI use. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.
Recommended Actions
- Restrict AI agent tool permissions and production write paths.
- Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
- Add human approval workflows for high-impact or state-changing actions.
- Run prompt injection and indirect prompt injection tests against affected workflows.
- Document the owner, control gap, and remediation deadline for this risk class.
Source
https://thehackernews.com/2026/07/fake-7-zip-installers-turn-devices-into.html
