AG Adware Guru
News

Fake 7-Zip and WireVPN Installers Can Add Proxyware

Infoblox says a proxyware actor it tracks as Lurking Lizard used fake software installers and lookalike domains to turn victim devices into residential proxy nodes. The most useful lesson for home users is simple: a download that looks like a normal archiver or VPN can quietly sell your home IP address to somebody else.

The research, published on July 7, 2026, links the earlier fake 7-Zip installer at 7zip[.]com to a larger operation with more than 230 lookalike domains, fake proxy-service storefronts, fake review sites, and newer WireVPN-themed variants. The Hacker News summarized the findings on July 9, noting that the same infrastructure also touched fake WhatsApp, TikTok downloader, YouTube downloader, and VPN lures.

Why this matters

Residential proxy abuse is not just a business-network problem. If proxyware lands on a personal PC, the device can appear to websites and services as the exit point for someone else’s traffic. That can make normal browsing look suspicious, trigger account checks, or put the household IP address near activity the owner never performed.

This campaign also fits a pattern seen in other fake-download cases: attackers borrow trust from familiar utilities, typo-like domains, old search results, and installer screens that appear to do something useful. Similar download lures have been used in recent fake download redirects, fake Node.js ads, and free software video lures.

What Lurking Lizard used

  • A confusing 7-Zip domain: the real 7-Zip site is 7-zip[.]org, while the reported lure used 7zip[.]com.
  • Drop-caught and lookalike domains: Infoblox says the actor bought domains with old reputation or brand-like names, then used them for downloads, proxy services, or review-style promotion.
  • Proxyware payloads: Windows samples used names such as hero.exe, uphero.exe, wire.exe, and upwire.exe, with folders under C:WindowsSysWOW64hero or C:WindowsSysWOW64wire.
  • Firewall and persistence changes: the report describes use of netsh firewall rules and registry modifications so the proxy component can keep communicating.
  • Current WireVPN branding: Infoblox says the 7-Zip lure evolved into WireVPN-themed variants. It also cautions that the exact proxy behavior of the mobile apps remains unclear.

Quick check if you installed a suspicious archiver or VPN

  1. Confirm where the installer came from. For 7-Zip, use the official 7-zip[.]org domain, not a shorter lookalike.
  2. Look for unexpected programs, services, or startup entries named around hero, wire, VPN utilities you did not choose, or generic updater names.
  3. Check Windows Defender Firewall for newly allowed apps you do not recognize, especially entries tied to files under C:WindowsSysWOW64hero or C:WindowsSysWOW64wire.
  4. Remove suspicious apps, restart, and run a full scan with a trusted anti-malware tool. If browser pop-ups or redirects continue, also review notification permissions with the browser notification scam removal guide.
  5. If websites suddenly block your home connection or ask for extra verification, consider that a proxy or unwanted extension may be routing traffic through your device.

How to reduce the risk

Download utilities from the publisher’s exact site, not from ads, tutorial links, mirror pages, or “best downloader” lists. Be especially cautious with free VPNs, video downloaders, cracked apps, and archive utilities that arrive through search ads or social posts. These categories are frequently used because people expect them to install background network components.

Browser add-ons can create similar cleanup problems. If an extension starts redirecting searches, pushing ads, or changing storage behavior, compare the symptoms with recent Chrome wallpaper extension adware cases and remove anything you did not deliberately install.

Takeaway

The Lurking Lizard report is a reminder that “free” installers do not always steal passwords immediately. Some quietly monetize your connection. Treat lookalike domains, unexpected VPN helpers, firewall prompts, and background services as warning signs, especially after installing a utility from anywhere other than the vendor’s official site.

Sources: Infoblox Threat Intel and The Hacker News.

Daniel Zimmermann

Daniel Zimmermann has been writing about adware, browser notification abuse, unwanted programs and practical Windows cleanup for many years. He focuses on clear removal steps for everyday users and keeps Adware Guru guides grounded in observable browser symptoms.

Related Articles