Cybercriminals Hijack 7-Zip Downloads, Turning PCs into Proxy Nodes for Illicit Activities

In a chilling new wave of cyberattacks, security researchers have uncovered a sophisticated campaign where hackers are distributing trojanized versions of the popular file archiving tool 7-Zip. These malicious installers, disguised as legitimate downloads, are secretly transforming unsuspecting users’ computers into residential proxy nodes—effectively weaponizing home PCs for nefarious purposes.

The alarming discovery came to light after a vigilant user reported downloading what appeared to be a genuine 7-Zip installer from a website called 7zip[dot]com. This domain, which remains active at the time of writing, is a near-perfect replica of the official 7-Zip site (7-zip[dot]org), complete with copied text and mimicked design elements. The level of deception is so convincing that even tech-savvy users could be fooled.

The Anatomy of the Attack

Upon installation, the malicious 7-Zip package doesn’t just extract files—it unleashes a trio of dangerous components hidden within the Windows system directory:

• Uphero.exe – A service manager and update loader that ensures the malware persists across reboots
• hero.exe – The main proxy payload that hijacks network traffic
• hero.dll – A supporting library that facilitates the malware’s operations

These files are installed in C:\Windows\SysWOW64\hero\ and configured to run as a SYSTEM-level Windows service, granting them deep access to the operating system. The malware then modifies firewall rules using the netsh command to allow unrestricted inbound and outbound connections.

Beyond Simple File Archiving

What makes this attack particularly insidious is that the trojanized installer still functions as a legitimate 7-Zip tool. Users can compress and extract files as usual, completely unaware that their system has been compromised. Meanwhile, the malware is busy profiling the infected machine using Windows Management Instrumentation (WMI) and Windows APIs to gather detailed hardware, memory, CPU, disk, and network information.

This data is exfiltrated to iplogger[dot]org, a domain associated with the attacker’s infrastructure. But the real purpose of this infection goes far beyond data theft.

Residential Proxy Networks: The Hidden Danger

The primary function of this malware is to enroll infected devices into a residential proxy network. These networks route internet traffic through ordinary home computers, making it appear as though the activity originates from legitimate residential IP addresses rather than data centers or known malicious sources.

This technique is particularly valuable for cybercriminals because it helps them evade detection and bypass security measures. Residential proxies are commonly used for:

• Credential stuffing attacks – Automated login attempts using stolen username/password combinations
• Phishing campaigns – Distributing fraudulent emails and websites
• Malware distribution – Spreading additional malicious software
• Ad fraud – Generating fake ad impressions and clicks
• Account takeovers – Gaining unauthorized access to online services

A Larger Campaign Targeting Multiple Applications

Security researchers at Malwarebytes, who conducted an in-depth analysis of the threat, discovered that this campaign extends well beyond 7-Zip. The attackers are also distributing trojanized installers for popular applications including HolaVPN, TikTok, WhatsApp, and Wire VPN.

The malware employs a sophisticated command-and-control (C2) infrastructure built around rotating “hero” and “smshero” themed domains. Traffic is routed through Cloudflare’s network using TLS-encrypted HTTPS connections, making detection more challenging. Additionally, the malware uses DNS-over-HTTPS via Google’s resolver, further obscuring its network communications from traditional monitoring tools.

Anti-Analysis Techniques

To evade detection and analysis, the malware incorporates several defensive mechanisms:

• Virtualization detection – Checks for VMware, VirtualBox, QEMU, and Parallels environments
• Debugger detection – Identifies when it’s being analyzed in a sandbox or debugger
• Obfuscated communication – Uses XOR-based encryption for control messages
• Non-standard ports – Operates on unusual ports like 1000 and 1002

The Research Community Responds

The discovery of this campaign was made possible through collaborative efforts within the cybersecurity community. Independent security researcher Luke Acha first uncovered the true purpose of the Uphero/hero malware. Researcher s1dhy reverse-engineered the XOR-based communication protocol, while digital forensics expert Andrew Danis connected the fake 7-Zip installer to the broader campaign impersonating multiple software brands.

Protection and Prevention

Security experts strongly advise users to take the following precautions:

1. Bookmark official download sites rather than following links from search results or YouTube videos
2. Verify digital signatures on downloaded software
3. Use reputable antivirus software with real-time protection
4. Keep systems updated with the latest security patches
5. Be cautious of unusually high download counts or promoted search results

The Malwarebytes team has published detailed indicators of compromise, including domain names, file paths, and IP addresses, to help organizations detect and mitigate this threat.

As cybercriminals continue to refine their tactics, this campaign serves as a stark reminder that even trusted software can become a vehicle for sophisticated attacks. Users must remain vigilant and adopt a security-first mindset when downloading and installing applications, especially from the internet.

Tags: #Cybersecurity #Malware #7Zip #Proxyware #CyberAttack #ThreatIntelligence #Malwarebytes #ResidentialProxies #CyberCrime #DigitalSecurity

Viral Sentences:

• Your computer could be secretly working for hackers right now
• The malware that turns your PC into a criminal’s proxy
• Fake 7-Zip downloads: The hidden danger in legitimate software
• How cybercriminals are weaponizing residential IP addresses
• The sophisticated attack hiding in plain sight
• When your computer becomes someone else’s tool
• The proxy network built on unsuspecting victims’ machines
• Cybersecurity’s newest nightmare: Residential proxy malware
• Why that free software download might cost you everything
• The silent threat running on thousands of home computers

,