Fake 7-Zip Installer Turns PCs into Residential Proxy Nodes

A new malware campaign is exploiting the popularity of the 7-Zip file archiving tool to compromise unsuspecting users’ computers. Attackers have created a fake 7-Zip website distributing a trojanized installer that not only functions like the legitimate tool but also turns the infected machine into a residential proxy node. Residential proxies allow cybercriminals to route traffic through compromised home devices, enabling them to evade blocks, launch credential stuffing attacks, deliver malware, or conduct phishing campaigns—all while masking their true origin.

The campaign came to light when a user following a YouTube PC-building tutorial downloaded the malicious installer from a website mimicking the legitimate 7-Zip project. The fake site, 7zip[.]com, remains active and closely resembles the official 7-Zip site at 7-zip.org, copying text and structure to deceive visitors. Cybersecurity researchers at Malwarebytes analyzed the installer and found that it is digitally signed with a revoked certificate previously issued to Jozeal Network Technology Co., Limited, giving it an air of legitimacy.

The malware operates in stealth. While the installer provides standard 7-Zip functions, it also deploys three malicious files—Uphero.exe, hero.exe, and hero.dll—to the C:\Windows\SysWOW64\hero\ directory. These files create an auto-start Windows service running as SYSTEM and modify firewall rules to allow unrestricted inbound and outbound connections. The malware collects system data, including hardware, memory, CPU, disk, and network characteristics, which it then transmits to iplogger[.]org.

Analysis by Malwarebytes revealed that the primary function of the malware is proxyware. Infected machines become residential proxy nodes, allowing attackers to route traffic through victims’ IP addresses. The hero.exe component retrieves configuration from rotating “smshero”-themed command-and-control (C2) domains and opens proxy connections over non-standard ports. All communication is obfuscated using a lightweight XOR key and often transmitted over TLS-encrypted HTTPS through Cloudflare infrastructure, combined with DNS-over-HTTPS via Google to avoid detection.

The campaign extends beyond 7-Zip. Researchers found trojanized installers impersonating HolaVPN, TikTok, WhatsApp, and Wire VPN, all using a similar infrastructure. The malware also detects virtualization environments and debugging tools to evade analysis. Independent security researchers, including Luke Acha, s1dhy, and Andrew Danis, collaborated to reverse-engineer the malware and uncover its proxy functionality. Malwarebytes has published comprehensive indicators of compromise, including file paths, domains, and IP addresses, urging users to avoid downloading software from unverified links and instead rely on official sources.

What Undercode Say:

This campaign is a textbook example of how social engineering and supply chain manipulation continue to evolve in cybercrime. By exploiting trusted brands like 7-Zip, HolaVPN, and TikTok, attackers bypass traditional suspicion filters that users might have for unknown software. The combination of digital signing, cloned websites, and legitimate functionality ensures that many victims won’t notice the infection immediately.

From a technical standpoint, the malware demonstrates sophisticated operational security (OpSec). Using XOR-based obfuscation, TLS encryption, DNS-over-HTTPS, and Cloudflare-based C2 channels, the attackers minimize detection while maintaining control over infected nodes. Residential proxy networks are particularly dangerous because they give cybercriminals access to a wide, dispersed IP footprint, making takedown efforts complex and attribution difficult.

The campaign’s modular structure—dropping multiple files, creating persistent services, and profiling host hardware—signals that it could be easily expanded to additional software brands. Infected devices could be leveraged for botnet activities, ad fraud, or large-scale scraping operations, all under the guise of normal user traffic.

User education remains critical. Many infections start with seemingly harmless sources, such as YouTube tutorials or search engine results. Encouraging users to bookmark official software sites and avoid third-party downloads is the simplest, yet most effective, preventative measure. Organizations could also deploy endpoint detection solutions capable of spotting unusual outbound traffic patterns typical of residential proxy behavior.

Looking forward, this trend signals an increasing convergence between consumer-focused malware and sophisticated proxy operations. Threat actors are likely to continue leveraging trusted brands to distribute malware, making digital literacy and verified sources essential defense tools. Additionally, with the rise of AI-assisted cybercrime, future campaigns may automate both delivery and evasion, further challenging traditional detection methods.

Fact Checker Results:

✅ Malwarebytes confirmed the 7-Zip fake installer contains Uphero.exe, hero.exe, and hero.dll.
✅ The campaign also targets HolaVPN, TikTok, WhatsApp, and Wire VPN with similar trojanized installers.
✅ Communication occurs over encrypted TLS channels, using Cloudflare infrastructure and DNS-over-HTTPS to evade detection.

Prediction:

⚠️ Expect similar campaigns to target other popular utilities and VPN software in 2026.
⚠️ Residential proxy networks will grow, making attribution of cybercrime more difficult.
⚠️ Organizations should monitor outbound traffic for unusual patterns and educate users to download software only from verified sources.

If you want, I can also create a visual threat map showing how the malware propagates and the proxy network structure—it would make this article more engaging for readers. Do you want me to do that?