A fake website impersonating the popular file archiver 7-Zip is being used to distribute a trojanized installer that turns infected computers into residential proxy nodes, MalwareBytes security researchers warn.
The campaign came to light after a user reported downloading what appeared to be a legitimate 7-Zip installer while following a YouTube tutorial on building a PC. Instead of the official site, the user was directed to 7zip[.]com, a domain mimicking the real 7-Zip website at 7-zip.org.
An analysis showed that the fake installer is digitally signed with a now-revoked certificate originally issued to Jozeal Network Technology Co., Limited. While the installer does include the real 7-Zip tool and functions as expected, it also drops three malicious files (Uphero.exe, hero.exe, and hero.dll) into the 'C:WindowsSysWOW64hero' directory and creates a persistent Windows service running with SYSTEM privileges.
The malware modifies firewall rules to allow network communication, profiles the infected system using Windows APIs and WMI, and sends hardware and network details to iplogger[.]org. According to Malwarebytes, the malware is designed to act as proxyware, enrolling infected machines into a residential proxy network that allows third parties to route traffic through victims’ IP addresses.
The hero.exe payload retrieves configuration data from rotating “smshero”-themed command-and-control domains, opens proxy connections on non-standard ports, and uses lightweight XOR obfuscation for control messages. Traffic is routed through Cloudflare, encrypted over HTTPS, and leverages DNS-over-HTTPS via Google’s resolver to evade detection.
Malwarebytes says the campaign impersonates not only 7-Zip, but HolaVPN, TikTok, WhatsApp, and Wire VPN. The malware also includes anti-analysis checks to detect virtual machines and debuggers.
Users are advised to avoid downloading software via links in videos or sponsored search results and to bookmark official download pages for commonly used tools to reduce the risk of infection.