Malwarebytes reported a malware distribution campaign in which attackers use a lookalike domain, 7zip[.]com, to impersonate the legitimate 7-Zip download site (7-zip.org) and deliver a trojanized installer that still appears to function as expected. The activity surfaced after a Reddit user described being directed to the fake site via a YouTube tutorial/comment, installing the software on multiple systems, and later receiving a generic Microsoft Defender trojan alert; Malwarebytes’ follow-on analysis concluded that systems running installers from 7zip[.]com should be treated as compromised.
Analysis of the counterfeit installer found it drops additional hidden components (including Uphero.exe, hero.exe, and hero.dll) into C:\Windows\SysWOW64\hero\ and establishes persistence by registering executables as Windows services that start with SYSTEM privileges. The primary payload was assessed as proxyware, turning infected home computers into residential proxy nodes that allow third parties to route traffic through victims’ IP addresses; the malware also includes anti-analysis checks to reduce detection. The installer was observed carrying an Authenticode signature issued to Jozeal Network Technology Co., Limited (reported as revoked), and defenders were advised to watch for unauthorized services and related network activity, and to block known C2/proxy infrastructure where possible.
![Trojanized 7-Zip Installers from 7zip[.]com Used to Deploy Proxyware on Home PCs](/_next/image?url=https%3A%2F%2Fmallory-core-public-images.s3.us-east-2.amazonaws.com%2Ftrojanized-7-zip-installers-from-7zipcom-used-to-deploy-proxyware-on-home-pcs.png&w=3840&q=75)
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
After the campaign was publicly disclosed, antivirus vendors updated detections for the malware and the malicious 7zip[.]com domain was added to ad-blocking rulesets, including ones used by uBlock Origin. These actions were intended to reduce further user exposure to the fake download site.
Analysis tied the 7-Zip impersonation to a wider operation using trojanized installers themed as other popular software and services, including HolaVPN, TikTok, WhatsApp, and Wire. The campaign used anti-analysis checks, Cloudflare-fronted C2 traffic, and non-standard proxy ports to reduce detection and support third-party traffic tunneling.
Malwarebytes found the fake installer dropped components including Uphero.exe, hero.exe, and hero.dll, created SYSTEM-level Windows services, changed firewall rules, profiled hosts, and contacted "smshero"-themed infrastructure. The company assessed the malware's main purpose as converting infected Windows systems into residential proxy nodes and warned systems that ran the installer should be treated as compromised.
The campaign came to light after a Reddit user reported downloading 7-Zip from 7zip[.]com after following a YouTube PC-building tutorial link or comment. The user later received a Microsoft Defender trojan alert, indicating compromise.
Adversaries took control of the long-registered domain 7zip[.]com and used it to impersonate the legitimate 7-Zip project. The site hosted trojanized installers that appeared to provide normal 7-Zip functionality while delivering malware.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecybersecuritynews.com
Open sourcehelpnetsecurity.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.