A sophisticated cyber campaign is weaponizing downloads of the popular 7-Zip file archiving software, turning unsuspecting home computers into nodes within a vast residential proxy network. This deceptive operation leverages a convincing counterfeit domain, 7zip[.]com, to trick users into installing a trojanized version of the software that silently compromises their systems.
The threat gained public attention after a Reddit user shared their experience, highlighting how a link within a YouTube tutorial led them to download the malicious 7-Zip installer. After installation on both a laptop and a newly built desktop, the user reported compatibility issues. Nearly two weeks later, Microsoft Defender detected a generic trojan, revealing the hidden compromise and the extent of the malware’s stealth.
Malwarebytes analysts have identified that the fake installer, while providing a fully functional 7-Zip File Manager, secretly installs three malicious components: Uphero.exe, hero.exe, and hero.dll. These files are placed in the WindowsSysWOW64hero directory, a location unlikely to be scrutinized by average users. The compromised installer was initially signed with an Authenticode certificate issued to Jozeal Network Technology Co., Limited, which has since been revoked. This digital signature had provided a veneer of legitimacy, allowing the malware to bypass initial security checks.
Infection Mechanism and Residential Proxy Infrastructure
The primary objective of this malware is to transform infected computers into residential proxy nodes. The hero.exe component actively communicates with command-and-control servers using domains themed around “smshero” and “herosms.” These servers are often masked by Cloudflare infrastructure and utilize encrypted HTTPS channels, considerably complicating detection efforts.
Security researchers have analyzed the traffic generated by the malware, noting its use of a lightweight XOR-encoded protocol with the key 0x70 for obscuring control messages. The malware establishes outbound proxy connections on non-standard ports, such as 1000 and 1002. This functionality allows third parties to route internet traffic through the victim’s unique IP address, forming a residential proxy network. Such networks are frequently exploited for illicit activities, including fraud, extensive web scraping, ad fraud, and the laundering of online activities to mask their origins.
Furthermore, the malware employs DNS-over-HTTPS to route DNS queries through Google’s resolver. This technique further reduces the visibility of network traffic for traditional monitoring tools, making it more challenging to identify malicious activity. The malware also takes steps to ensure persistence, registering Uphero.exe and hero.exe as Windows services that automatically launch with system-level privileges upon every boot. It also manipulates firewall rules using netsh commands, disabling existing protections and creating exceptions to guarantee uninterrupted network communication for its malicious purposes.
The malware also conducts thorough host profiling, gathering critical system information such as hardware identifiers, memory specifications, CPU details, disk attributes, and network configurations. This gathered intelligence is then transmitted to external servers like iplogger[.]org, potentially for further malicious exploitation or reconnaissance.
Users who suspect they may have downloaded installers from the fraudulent 7zip[.]com domain should consider their systems compromised. Security solutions like Malwarebytes are capable of detecting and removing known variants of this threat. However, for absolute certainty, especially in high-risk environments, a complete reinstallation of the operating system may be the most secure course of action.
To mitigate the risk of similar attacks in the future, users are strongly advised to verify their software sources by bookmarking official project domains and being wary of unexpected code-signing identities. Vigilance in monitoring systems for unauthorized Windows services or firewall modifications is also crucial. For network administrators, blocking known command-and-control domains and proxy endpoints at the network perimeter is a proactive measure to prevent communication with malicious infrastructure and protect against the weaponizing of 7-Zip downloads.