{“lastseen”:”2026-02-09T12:05:07″,”description”:”A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims\u2019 machines into residential proxy nodes\u2014and it has been hiding in plain sight for some time.\\n\\n## \u201cI\u2019m so sick to my stomach\u201d\\n\\nA PC builder recently turned to Reddit\u2019s r\/pcmasterrace community in a panic after realizing they had downloaded 7\u2011Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7\u2011Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.\\n\\nIn their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32\u2011bit versus 64\u2011bit errors and ultimately abandoned the installer in favor of Windows\u2019 built\u2011in extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32\/Malgent!MSR.\\n\\nThe experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.\\n\\n## A trojanized installer masquerading as legitimate software\\n\\nThis is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7\u2011Zip File Manager alongside a concealed malware payload.\\n\\nThe installer is Authenticode\u2011signed using a now\u2011revoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of `7zfm.exe` is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:\\n\\n * **Uphero.exe** \u2014a service manager and update loader\\n * **hero.exe** \u2014the primary proxy payload (Go\u2011compiled)\\n * **hero.dll** \u2014a supporting library\\n\\n\\n\\nAll components are written to `C:\\\\Windows\\\\SysWOW64\\\\hero\\\\`, a privileged directory that is unlikely to be manually inspected.\\n\\nAn independent update channel was also observed at `update.7zip[.]com\/version\/win-service\/1.0.0.2\/Uphero.exe.zip`, indicating that the malware payload can be updated independently of the installer itself.\\n\\n## Abuse of trusted distribution channels\\n\\nOne of the more concerning aspects of this campaign is its reliance on third\u2011party trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.\\n\\nThis shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.\\n\\n## Execution flow: from installer to persistent proxy service\\n\\nBehavioral analysis shows a rapid and methodical infection chain:\\n\\n**1\\\\. File deployment** \u2014The payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.\\n\\n**2\\\\. Persistence via Windows services** \u2014Both `Uphero.exe` and `hero.exe` are registered as auto\u2011start Windows services running under System privileges, ensuring execution on every boot.\\n\\n**3\\\\. Firewall rule manipulation** \u2014The malware invokes `netsh` to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.\\n\\n**4\\\\. Host profiling** \u2014Using WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.\\n\\n## Functional goal: residential proxy monetization\\n\\nWhile initial indicators suggested backdoor\u2011style capabilities, further analysis revealed that the malware\u2019s primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim\u2019s IP address.\\n\\nThe `hero.exe` component retrieves configuration data from rotating \u201csmshero\u201d\u2011themed command\u2011and\u2011control domains, then establishes outbound proxy connections on non\u2011standard ports such as 1000 and 1002. Traffic analysis shows a lightweight XOR\u2011encoded protocol (key `0x70`) used to obscure control messages.\\n\\nThis infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.\\n\\n## Shared tooling across multiple fake installers\\n\\nThe 7\u2011Zip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as `upHola.exe`, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:\\n\\n * Deployment to SysWOW64\\n * Windows service persistence\\n * Firewall rule manipulation via `netsh`\\n * Encrypted HTTPS C2 traffic\\n\\n\\n\\nEmbedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.\\n\\n## Rotating infrastructure and encrypted transport\\n\\nMemory analysis uncovered a large pool of hardcoded command-and-control domains using `hero` and `smshero` naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLS\u2011encrypted HTTPS sessions. \\n\\nThe malware also uses DNS-over-HTTPS via Google\u2019s resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.\\n\\n## Evasion and anti\u2011analysis features\\n\\nThe malware incorporates multiple layers of sandbox and analysis evasion:\\n\\n * Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels\\n * Anti\u2011debugging checks and suspicious debugger DLL loading\\n * Runtime API resolution and PEB inspection\\n * Process enumeration, registry probing, and environment inspection\\n\\n\\n\\nCryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.\\n\\n## Defensive guidance\\n\\nAny system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEM\u2011level persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In high\u2011risk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.\\n\\nUsers and defenders should:\\n\\n * Verify software sources and bookmark official project domains\\n * Treat unexpected code\u2011signing identities with skepticism\\n * Monitor for unauthorized Windows services and firewall rule changes\\n * Block known C2 domains and proxy endpoints at the network perimeter\\n\\n\\n\\n## Researcher attribution and community analysis\\n\\nThis investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.\\n\\n * **Luke Acha** provided the first comprehensive analysis showing that the Uphero\/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Luke’s full write-up is available on his blog.\\n * **s1dhy** expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).\\n * **Andrew Danis** contributed additional infrastructure analysis and clustering, helping tie the fake 7-Zip installer to related proxyware campaigns abusing other software brands.\\n\\n\\n\\nAdditional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.\\n\\nTheir collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.\\n\\n## Closing thoughts\\n\\nThis campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptions\u2014turning everyday utility downloads into long\u2011lived monetization infrastructure.\\n\\nMalwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.\\n\\n## Indicators of Compromise (IOCs)\\n\\n### File paths\\n\\n * `C:\\\\Windows\\\\SysWOW64\\\\hero\\\\Uphero.exe`\\n * `C:\\\\Windows\\\\SysWOW64\\\\hero\\\\hero.exe`\\n * `C:\\\\Windows\\\\SysWOW64\\\\hero\\\\hero.dll`\\n\\n\\n\\n### File hashes (SHA-256)\\n\\n * `e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027` (Uphero.exe)\\n * `b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894` (hero.exe)\\n * `3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9` (hero.dll)\\n\\n\\n\\n### Network indicators\\n\\n**Domains:**\\n\\n * `soc.hero-sms[.]co`\\n * `neo.herosms[.]co`\\n * `flux.smshero[.]co`\\n * `nova.smshero[.]ai`\\n * `apex.herosms[.]ai`\\n * `spark.herosms[.]io`\\n * `zest.hero-sms[.]ai`\\n * `prime.herosms[.]vip`\\n * `vivid.smshero[.]vip`\\n * `mint.smshero[.]com`\\n * `pulse.herosms[.]cc`\\n * `glide.smshero[.]cc`\\n * `svc.ha-teams.office[.]com`\\n * `iplogger[.]org`\\n\\n\\n\\n**Observed IPs (Cloudflare-fronted):**\\n\\n * `104.21.57.71`\\n * `172.67.160.241`\\n\\n\\n\\n### Host-based indicators\\n\\n * Windows services with image paths pointing to `C:\\\\Windows\\\\SysWOW64\\\\hero\\\\`\\n * Firewall rules named Uphero or hero (inbound and outbound)\\n * Mutex: `Global\\\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7`\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-02-09T10:51:18″,”modified”:”2026-02-09T10:51:18″,”type”:”malwarebytes”,”title”:”Fake 7-Zip downloads are turning home PCs into proxy nodes”,”source”:””,”references”:””,”id”:”MALWAREBYTES:45F64362C69A67D7013637654D14A05E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/02\/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-09T12:05:07″,”description”:”A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims\u2019 machines into residential proxy nodes\u2014and it…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-39781","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n