A lookalike 7-Zip website is distributing trojanized installers that covertly enroll victims’ machines into a residential proxy network.
The campaign was recently exposed after a Reddit user unknowingly installed malware while following a YouTube tutorial that misidentified the legitimate 7-Zip domain. The user, believing 7zip[.]com to be the correct source (instead of the legitimate 7-zip.org), downloaded a compromised installer and propagated it via USB to another system. Weeks later, Microsoft Defender flagged the machine with a generic trojan detection, revealing the presence of hidden malware.
Malwarebytes has confirmed that 7zip[.]com serves a trojanized version of the 7-Zip File Manager, bundled with additional malicious components. The installer is Authenticode-signed with a certificate formerly issued to Jozeal Network Technology Co., Limited, lending an air of legitimacy. While the 7-Zip utility functions as expected, the malware silently installs three additional files: Uphero.exe, hero.exe, and hero.dll, to C:\Windows\SysWOW64\hero.
CyberInsider
These binaries transform the host into a residential proxy node, allowing attackers to sell access to the victim’s IP address for purposes such as fraud, ad abuse, web scraping, or traffic anonymization. Persistence is achieved through registered Windows services, while the malware manipulates firewall rules to maintain uninterrupted communication with its command-and-control infrastructure. The primary payload, hero.exe, communicates with rotating domains such as hero-sms[.]co and smshero[.]vip, utilizing a custom XOR-encrypted protocol over non-standard ports (1000, 1002).
The compromised systems are profiled in depth, with the malware collecting hardware identifiers, memory specifications, disk data, and network details. These are reported to endpoints such as iplogger[.]org, enabling operators to gauge the quality of their proxy nodes. Notably, the updater component, Uphero.exe, is fetched from update.7zip[.]com, allowing remote updates outside the installer lifecycle.
This malicious operation is not limited to 7-Zip impersonation. Malwarebytes found related binaries masquerading as installers for TikTok, WhatsApp, Wire, and Hola VPN, all following the same infection model: deployment to SysWOW64, Windows service persistence, netsh-based firewall rule creation, encrypted HTTPS traffic, and indicators pointing to shared backend infrastructure.
The broader infrastructure, dubbed upStage Proxy by researcher Luke Acha, is designed to be evasive. It leverages DNS-over-HTTPS, Cloudflare fronting, and multiple sandbox evasion mechanisms, including VM detection, API resolution via the PEB, anti-debugging checks, and cryptographic obfuscation using AES, RC4, Camellia, and Chaskey.
Users should always verify software sources, avoid clicking on promoted results on Google Search, and bookmark the official project URLs for downloading clean installers. Malwarebytes claims it can detect and remove this malware, but for systems in mission-critical environments, a fresh OS reinstall is recommended.
Leave a Reply