Critical Alert: Fake 7-Zip Website Distributes Malware, Turns PCs Into Proxy Botnets

Critical Alert: Fake 7-Zip Website Distributes Malware, Turns PCs Into Proxy Botnets

Popular Compression Software Targeted in Sophisticated Malware Campaign

A malicious website impersonating the popular 7-Zip file archiver has been distributing trojanized software that secretly converts infected computers into residential proxy nodes, cybersecurity researchers warn.

The fake site, 7zip.com, has been operating for an extended period, exploiting user trust and common typing errors to distribute functional software laced with hidden malware.

The Critical Domain Mix-Up: 7-zip.org vs 7zip.com

The legitimate 7-Zip website is 7-zip.org, not 7-zip.com. This seemingly minor difference has led to widespread infections as users accidentally visit the fraudulent domain, often while following YouTube tutorials or online guides that incorrectly reference the fake website.

The fake site is nearly identical to the official website, copying its text, structure, and layout to appear completely legitimate. What makes this campaign particularly insidious is that the malicious installer actually includes a fully functional version of 7-Zip, meaning victims may never realize anything is wrong.

How the Attack Works

Time-Delayed Link Redirection

One of the most sophisticated aspects of this campaign involves the fake website’s download mechanism. When users initially visit 7zip.com, they see legitimate download links pointing to the official 7-zip.org installation package. However, after approximately 20-30 seconds, a hidden script automatically triggers, replacing these links with malicious files.

This delay serves a specific purpose: it misleads automated website scanning tools into believing the links remain legitimate, preventing security systems from flagging the site as malicious.

The Malicious Payload

The compromised installer drops three malicious files into the victim’s system:

Uphero.exe
hero.exe
hero.dll

These files are placed in the C:\Windows\SysWOW64\hero\ directory, a Windows system folder that most users never examine. The malware was initially signed with a certificate issued to Jozeal Network Technology Co., Limited (now revoked), lending it an air of legitimacy.

Critical Alert: Fake 7-Zip Website Distributes Malware, Turns PCs Into Proxy Botnets

What the Malware Does

Residential Proxy Network Enrollment

Rather than functioning as a traditional backdoor or data-stealing trojan, this malware’s primary purpose is to convert infected computers into nodes within a residential proxy network. Once installed:

Persistence Mechanism: The malware registers itself as Windows services that automatically start with every system boot, running with SYSTEM-level privileges
Firewall Manipulation: It modifies firewall rules using ‘netsh’ commands to allow inbound and outbound connections
System Profiling: The malware collects detailed information about the infected system using Windows Management Instrumentation (WMI) and Windows APIs, including hardware specifications, memory, CPU, disk, and network characteristics
Proxy Operations: The hero.exe component retrieves configuration data from rotating command-and-control servers with “smshero” and “hero” themed domains, then establishes outbound proxy connections on non-standard ports (1000, 1002)

The Business Model

Cybercriminals monetize this infrastructure by selling access to real consumer IP addresses. These residential proxies are valuable for various malicious activities including:

Web scraping
Credential stuffing and fraud
Ad fraud and click abuse
Bypassing geographic restrictions
Anonymity laundering for criminal activities
Hiding the true origin of malicious traffic

When your computer is enrolled in this proxy network, other people can route their internet traffic through your IP address. This means their activities appear to originate from your location, potentially linking their illegal actions back to you.

Advanced Evasion Techniques

The malware employs multiple sophisticated techniques to avoid detection:

DNS-over-HTTPS: Uses Google’s encrypted resolver to reduce visibility for network monitoring tools
Multiple Encryption Methods: Employs AES, RC4, Camellia, and Chaskey encryption, plus custom XOR encoding (key 0x70) to obscure communications
Cloudflare Infrastructure: Routes command-and-control traffic through Cloudflare’s network using encrypted HTTPS channels
Anti-Analysis Features: Includes VM detection, anti-debugging checks, and API resolution via PEB to identify analysis environments
Rotating Infrastructure: Uses multiple control servers following “smshero” domain patterns that change regularly

Part of a Broader Campaign

Security researchers have discovered that the 7-Zip impersonation is part of a larger operation dubbed “upStage Proxy” by researcher Luke Acha. Related malicious binaries have been identified masquerading as installers for:

HolaVPN
TikTok
WhatsApp
Wire VPN

All variants share identical installation methods, persistence techniques, and network behavior, indicating coordination by the same threat actors.

How Victims Are Infected

YouTube Tutorials as Vectors

The campaign gained widespread attention after a Reddit user posted in r/pcmasterrace about their infection. While following a YouTube tutorial for building a new PC, they were directed to download 7-Zip from the fraudulent 7zip.com domain. The user installed the software on both a laptop and a newly built desktop via USB transfer.

Nearly two weeks later, Microsoft Defender raised a generic trojan alert (Trojan: Win32/Malgent!MSR), revealing the long-lived unauthorized compromise. This case highlights how trusted educational content can inadvertently become a malware distribution vector when creators incorrectly reference domains.

Search Engine Results

Users may also encounter the malicious site through:

Promoted or sponsored search results
Typos when entering the domain directly
Outdated bookmarks or links from untrusted sources

Detection and Removal

Signs of Infection

If you’ve downloaded 7-Zip from 7zip.com, check for these indicators:

File System: Look for the existence of a “hero” folder in C:\Windows\SysWOW64\
Windows Services: Check for suspicious auto-start services named Uphero or hero
Firewall Rules: Review Windows Defender Firewall rules for unexpected allow rules
Network Activity: Monitor for unexpected outbound connections on ports 1000 and 1002

Removal Steps

Disconnect from the Internet: Immediately disconnect the affected system
Security Scan: Run a full scan with updated security software (Malwarebytes can detect and remove known variants)
Manual Inspection: Check the locations mentioned above and remove malicious files
Review Services: Remove any suspicious Windows services
Firewall Cleanup: Remove unauthorized firewall rules
Consider Reinstallation: For high-risk scenarios or mission-critical systems, a complete operating system reinstallation is recommended for absolute confidence

Important: Any system that has executed installers from 7zip.com should be considered fully compromised.

7-Zip Software Vulnerabilities (Separate Issues)

In addition to this malware distribution campaign, several legitimate 7-Zip vulnerabilities have been discovered and patched recently:

CVE-2025-0411 (Patched in v24.09)

A zero-day vulnerability exploited by Russian cybercrime groups targeting Ukrainian organizations. The flaw allowed attackers to bypass Windows Mark-of-the-Web protections through double-encapsulated archives, enabling malicious scripts to execute without security warnings. The vulnerability was actively exploited in September 2024 to deliver SmokeLoader malware.

CVE-2025-11001 and CVE-2025-11002 (Patched in v25.00)

These directory traversal vulnerabilities stem from improper handling of symbolic links in ZIP files. Attackers could craft malicious archives that escape their extraction directory and write files to sensitive system locations, potentially leading to remote code execution. Both carry a CVSS score of 7.0 and are being actively exploited in the wild.

CVE-2025-55188 (Patched in v25.01)

Affects Linux systems and allows arbitrary file writes through unsafe symbolic link handling during archive extraction. While assigned a low CVSS score of 2.7, researchers argue this significantly underestimates the true impact.

Protection Measures

To protect yourself from both malware distribution and software vulnerabilities:

Essential Steps

Verify Official Sources
- Always download from the legitimate 7-zip.org domain
- Bookmark official software websites to avoid domain confusion
- Never trust download links from search results or random tutorials without verification
Keep Software Updated
- Update 7-Zip to the latest version (currently 25.01 as of August 2025)
- Note: 7-Zip has no automatic update mechanism, requiring manual updates
- Check regularly for security patches
Security Tools
- Keep Windows Defender or other antivirus software active and updated
- Enable Windows Firewall and monitor for unauthorized rule changes
- Use security software that can detect behavioral anomalies
Best Practices
- Be suspicious of unexpected code-signing certificates
- Monitor for unauthorized Windows services
- Avoid clicking on promoted search results for software downloads
- Verify domain names carefully before downloading anything
- Exercise caution with YouTube tutorials that provide download links
Network Monitoring
- Watch for unexpected firewall prompts or network activity
- Monitor system resource usage for unusual patterns
- Check for unexpected outbound connections

Timeline of Events

Extended Period: 7zip.com operates distributing malware
January 12-22, 2025: Initial reports suggest heightened malicious activity
February 2026: Campaign gains widespread attention via Reddit post
February 9-10, 2026: Multiple cybersecurity firms publish detailed analyses
Present: The malicious website remains active as of reporting

Acknowledgments

This sophisticated threat was uncovered through collaborative security research by:

Luke Acha: Provided first comprehensive analysis identifying the proxyware functionality
s1dhy: Reverse-engineered the custom XOR-based communication protocol
Andrew Danis: Contributed infrastructure analysis and campaign clustering
Malwarebytes: Published detailed threat intelligence and indicators of compromise
RaichuLab and WizSafe Security: Provided technical validation

Conclusion

This campaign demonstrates how attackers increasingly exploit human psychology rather than technical vulnerabilities. By impersonating legitimate software with functional installers and using sophisticated evasion techniques, criminals can bypass traditional security measures while building profitable proxy networks.

The lesson is clear: domain verification is critical. The difference between .org and .com may seem trivial, but in this case, it’s the difference between legitimate software and a malicious proxy bot running on your home computer.

Remember: The official 7-Zip website is 7-zip.org. Always verify you’re on the correct domain before downloading any software.

This article is based on research and reports from Malwarebytes, BleepingComputer, Tom’s Hardware, GBHackers, Trend Micro ZDI, and independent security researchers. All users who may have downloaded 7-Zip from an unofficial source should immediately check their systems for compromise.