Hackers Weaponizing 7-Zip Downloads to Turn Your Home Computers into Proxy Nodes

A deceptive campaign targeting unsuspecting users has emerged, using a counterfeit version of the widely used 7-Zip file archiving software to silently transform home computers into residential proxy nodes.

The malicious operation relies on a lookalike domain, 7zip[.]com, which closely mimics the legitimate 7-zip.org website, tricking users into downloading a compromised installer that appears fully functional while concealing dangerous malware components.

The threat came to public attention after a Reddit user shared their troubling experience in the r/pcmasterrace community.

While following a YouTube tutorial for building a new PC, they were directed to download 7-Zip from the fraudulent domain.

After installing the software on both a laptop and a newly assembled desktop via USB transfer, the user encountered persistent compatibility errors but continued using the system.

Nearly two weeks passed before Microsoft Defender flagged the infection with a generic trojan detection, revealing the hidden compromise.

Malwarebytes analysts identified that the fake installer delivers a fully operational copy of 7-Zip File Manager alongside three concealed malicious components: Uphero.exe, hero.exe, and hero.dll.

These files are installed into the privileged C:WindowsSysWOW64hero directory, a location rarely inspected by typical users.

The installer itself carries an Authenticode signature issued to Jozeal Network Technology Co., Limited, though the certificate has since been revoked.

This digital signature initially provided a false sense of legitimacy, helping the malware evade immediate suspicion during installation.

Once deployed, the malware establishes deep persistence by registering both Uphero.exe and hero.exe as Windows services that automatically launch with SYSTEM-level privileges at every boot.

It manipulates firewall rules through netsh commands, removing existing protections and creating new inbound and outbound exceptions to ensure uninterrupted network communication.

The malware also conducts extensive host profiling, collecting hardware identifiers, memory specifications, CPU details, disk attributes, and network configurations, which are then transmitted to external servers such as iplogger[.]org.

Infection Mechanism and Residential Proxy Infrastructure

The core functionality of this malware revolves around transforming infected machines into nodes within a residential proxy network.

The hero.exe component retrieves configuration instructions from rotating command-and-control servers using “smshero”-themed domain names, including soc.hero-sms[.]co, neo.herosms[.]co, flux.smshero[.]co, and nova.smshero[.]ai.

These domains are typically fronted by Cloudflare infrastructure and communicate over encrypted HTTPS channels, making detection considerably more challenging.

Traffic analysis conducted by security researchers revealed that the malware uses a lightweight XOR-encoded protocol with the key 0x70 to obscure control messages.

It establishes outbound proxy connections on non-standard ports such as 1000 and 1002, allowing third parties to route internet traffic through the victim’s IP address.

This infrastructure is characteristic of residential proxy services, where access to genuine consumer IP addresses is monetized for activities including fraud, web scraping, ad abuse, and anonymity laundering.

The malware also employs DNS-over-HTTPS through Google’s resolver, further reducing visibility for traditional network monitoring tools.

Users who have downloaded installers from 7zip[.]com should treat their systems as compromised. Security software like Malwarebytes can detect and remove known variants of this threat.

However, in high-risk scenarios, some users may opt for a complete operating system reinstallation to ensure absolute removal.

To protect against such attacks, users should verify software sources by bookmarking official project domains, treat unexpected code-signing identities with skepticism, and monitor systems for unauthorized Windows services or firewall modifications.

Network administrators should block known command-and-control domains and proxy endpoints at the network perimeter to prevent communication with malicious infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.