Researchers reported multiple campaigns using spoofed download and streaming sites to trick users into installing remote access tools, unwanted applications, and proxyware. Kaspersky found more than 90 fake software domains in 10 languages distributing trojanized Windows downloads that silently installed ScreenConnect via DLL sideloading and then deployed AsyncRAT for persistent access; in one case, the attackers altered Windows Defender exclusions, disabled UAC, and used process hollowing into RegAsm.exe. Separately, Gurucul identified a large network of pirated sports-streaming sites exploiting interest in the FIFA World Cup, using mirror domains, typosquatting, cloud-hosted pages, and rotating infrastructure to push fake Stremio installers, VPN-themed lures, phishing pages, scams, and unwanted software.
Infoblox tied a fake 7zip[.]com installer campaign to a broader residential proxy operation tracked as Lurking Lizard, linking more than 230 domains involved in fake downloads, fake review sites, proxy storefronts, and WireVPN-branded applications that appear to enroll devices into a distributed proxy network. The wider proxyware ecosystem is affecting enterprise and consumer environments alike: Infoblox said 65% of its Threat Defense Cloud customers generated DNS queries in 2026 to domains associated with residential proxy activity, totaling more than 500 billion queries per month, underscoring how free VPNs, streaming apps, browser extensions, and low-cost connected devices are being abused to hijack residential IP space for fraud, scraping, account abuse, and regional restriction bypass.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
Infoblox linked an early-2026 fake 7-Zip installer campaign hosted on 7zip[.]com to the larger Lurking Lizard proxyware ecosystem.
Infoblox published findings tying fake installers, fake review sites, fake proxy storefronts, and WireVPN-branded applications to a long-running residential proxy operation it tracks as Lurking Lizard. The company said the actor controls more than 230 domains and appears to monetize victim devices end-to-end.
Kaspersky researchers identified a campaign that distributed the legitimate remote access tool ScreenConnect via fake software-download sites promoted through SEO. Victims received malicious archives that silently installed ScreenConnect and later AsyncRAT for persistent remote control.
Gurucul researchers identified a high-severity campaign using pirated sports-streaming sites, mirror domains, typosquatting, and rotating infrastructure to exploit interest in the 2026 FIFA World Cup. The operation also pushed fake Stremio installers and VPN-themed lures that exposed users to malware, phishing, scams, and unwanted software.
Kaspersky assessed that the ScreenConnect distribution campaign appeared to pause by late March 2026, although many of the lure websites remained online.
Kaspersky said registrations for domains used in the ScreenConnect malware campaign peaked in February 2026, reflecting a surge in campaign infrastructure buildup.
Infoblox reported that in 2026, 65% of its Threat Defense Cloud customers made DNS queries to domains associated with residential proxy access or orchestration, totaling more than 500 billion such queries per month.
According to Kaspersky, the ScreenConnect campaign moved from fake game sites to free utility-themed lures in January 2026, broadening the software themes used to attract victims.
Kaspersky reported that the infrastructure for a malware campaign abusing ScreenConnect began forming in October 2025. The campaign later used spoofed domains and fake software-download sites to target users.
Infoblox said the broader malicious residential proxy ecosystem it tracks as Lurking Lizard can be linked back to at least August 2022 through DNS pivots, WHOIS data, shared infrastructure, and a hardcoded IPLogger URL.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
infoblox.com
Open sourcexakep.ru
Open sourcecommunity.gurucul.com
Open sourcecysecurity.news
Open sourceblog.lukeacha.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.