Malicious 7-Zip site distributes installer laced with proxy tool

Source: Bleeping Computer

Threat overview

A fake 7‑Zip website (7zip.com) is distributing a trojanized installer of the popular archiving tool. The installer turns the victim’s computer into a residential proxy node, allowing attackers to route traffic through the victim’s IP address. Residential proxy networks are used to evade blocks and carry out malicious activities such as credential stuffing, phishing, and malware distribution.

The campaign was first reported when a user downloaded the malicious installer while following a YouTube tutorial on building a PC. BleepingComputer confirmed that the malicious domain is still live.

Malicious installer details

• The attacker registered 7zip.com and copied the text and layout of the legitimate site at 7‑zip.org.

• The installer is digitally signed with a now‑revoked certificate originally issued to Jozeal Network Technology Co., Limited.

• The installer contains a functional copy of 7‑Zip, but also drops three malicious files:

  • Uphero.exe – service manager and update loader
  • hero.exe – main proxy payload
  • hero.dll – support library

  These files are written to C:\Windows\SysWOW64\hero\ and an auto‑start Windows service running as SYSTEM is created for the executables.

• Firewall rules are modified via netsh to allow inbound and outbound connections for the binaries.

Payload behavior

1. System profiling – The malware uses Windows Management Instrumentation (WMI) and Windows APIs to collect hardware, memory, CPU, disk, and network information, which is sent to iplogger.org.
2. Proxy functionality – hero.exe retrieves configuration from rotating “smshero”‑themed C2 domains and opens outbound proxy connections on non‑standard ports (e.g., 1000, 1002). Control messages are obfuscated with a lightweight XOR key.
3. Infrastructure – Traffic is routed through Cloudflare, carried over TLS‑encrypted HTTPS, and uses DNS‑over‑HTTPS via Google’s resolver to evade DNS monitoring.
4. Anti‑analysis – The malware checks for virtualization platforms (VMware, VirtualBox, QEMU, Parallels) and debuggers before executing its payload.

Related campaign

Malwarebytes observed that the same actors also distribute trojanized installers for HolaVPN, TikTok, WhatsApp, and Wire VPN, using the same rotating C2 infrastructure.

Indicators of compromise (IOCs)

• Dropped files:
  • C:\Windows\SysWOW64\hero\Uphero.exe
  • C:\Windows\SysWOW64\hero\hero.exe
  • C:\Windows\SysWOW64\hero\hero.dll
• Service name: Auto‑start service created for the malicious executables (run as SYSTEM).
• Network: Outbound connections to rotating smshero domains (e.g., *.smshero.com) over ports 1000, 1002; data exfiltration to iplogger.org.
• Domain: 7zip.com (malicious site) – still active at time of writing.

For a full list of domains, IP addresses, and file hashes, refer to the Malwarebytes analysis linked below.

Mitigation recommendations

• Download software only from official sites (e.g., 7-zip.org) or trusted repositories.
• Avoid following download links in YouTube videos or search results; bookmark the legitimate download page instead.
• Verify digital signatures of installer files; a revoked or mismatched certificate is a red flag.
• Monitor for unexpected services under SysWOW64\hero\ and unusual firewall rule changes.
• Use endpoint protection that can detect known malicious hashes and suspicious behavior such as WMI profiling or DNS‑over‑HTTPS tunneling.

References

• User report on Malwarebytes blog
• Luke Acha’s blog post on the Uphero/hero malware
• s1dhy’s reverse‑engineering of the XOR protocol
• Andrew Danis linking the fake 7‑Zip installer to a broader campaign