Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Malicious 7-Zip Installers: A Threat to Home Users' Cybersecurity



A malicious 7-Zip website is distributing trojanized installers of the popular archiving tool that turns users' computers into residential proxy nodes, allowing third parties to route traffic through the victim's IP address. Users are advised to avoid downloading software from unverified sources and to be cautious when following URLs from YouTube videos or promoted search results.

  • A malicious website masquerading as 7-Zip is distributing trojanized installers of the popular archiving tool.
  • The installer contains three malicious files: Uphero.exe, hero.exe, and hero.dll.
  • The malware turns the user's computer into a residential proxy node to evade blocks and perform malicious activities.
  • The malware includes an auto-start Windows service and modifies firewall rules to establish connections without explicit user intervention.
  • The malware profiles the host system with WMI and Windows APIs to determine hardware and network characteristics.
  • Malwarebytes has identified the malware as proxyware, allowing third parties to route traffic through the victim's IP address.
  • The malicious campaign appears to be larger than initially thought, distributing trojanized installers for multiple software brands.
  • Users are advised to verify the authenticity of software download sources and avoid downloading from unverified sites.



    • In a recent development that has sent shockwaves through the cybersecurity community, it has been discovered that a malicious website masquerading as the legitimate 7-Zip project is distributing trojanized installers of the popular archiving tool. The fake 7-Zip site, which has been identified by cybersecurity experts as 7zip[.]com, appears to be an imitation of the original 7-zip.org website and is capable of deceiving unsuspecting users into downloading a malicious installer.

    According to reports from BleepingComputer, a well-respected source in the cybersecurity community, the malicious installer contains three malicious files: Uphero.exe, hero.exe, and hero.dll. These files are designed to work together to compromise the user's computer by turning it into a residential proxy node. Residential proxy networks use home user devices to route traffic with the goal of evading blocks and performing various malicious activities such as credential stuffing, phishing, and malware distribution.

    The malicious installer also includes an auto-start Windows service that runs as SYSTEM, allowing it to establish inbound and outbound connections without the need for explicit user intervention. Furthermore, firewall rules are modified using 'netsh' to allow the binaries to establish connections on non-standard ports.

    In addition, the malware is designed to profile the host system with Microsoft's Windows Management Instrumentation (WMI) and Windows APIs to determine hardware, memory, CPU, disk, and network characteristics. The collected data is then sent to 'iplogger[.]org.'

    Malwarebytes, a renowned cybersecurity firm, has issued a statement about the malicious campaign stating that "initial indicators suggested backdoor-style capabilities, but further analysis revealed that the malware's primary function is proxyware." According to their findings, the infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim's IP address.

    The malicious campaign appears to be larger than initially thought, with trojanized installers for HolaVPN, TikTok, WhatsApp, and Wire VPN also being distributed. The malware uses a rotating C2 infrastructure built around hero/smshero domains, with traffic going through Cloudflare infrastructure and carried over TLS-encrypted HTTPs. It also relies on DNS-over-HTTPS via Google's resolver to reduce visibility for defenders monitoring standard DNS traffic.

    The malware checks for virtualization platforms such as VMware, VirtualBox, QEMU, Parallels, as well as for debuggers, to identify when it's being analyzed. Malwarebytes' investigation into the malicious campaign began after noticing research from independent security researchers who uncovered its true purpose.

    Researchers have attributed the discovery of the malware to Luke Acha and Andrew Danis, two cybersecurity experts who reverse-engineered the communication protocol used by the Uphero/hero malware. The xor-based communication protocol was decoded by s1dhy, and digital forensics and incident response engineer Andrew Danis connected the fake 7-Zip installer to the larger campaign impersonating multiple software brands.

    The incident highlights the importance of verifying the authenticity of software download sources before proceeding with the installation process. Users are advised to avoid following URLs from YouTube videos or promoted search results, and instead bookmark the download portal domains for the software they use often.

    In light of this recent development, cybersecurity experts have issued a cautionary warning to users about the potential risks associated with downloading software from unverified sources. As the threat landscape continues to evolve, it is crucial for individuals to remain vigilant and take proactive steps to protect their digital security.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Malicious-7-Zip-Installers-A-Threat-to-Home-Users-Cybersecurity-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool/

  • https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes


    • Published: Tue Feb 10 13:45:19 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us