Cybercriminals Exploit Fake 7-Zip Installers to Hijack Home Computers
A recent cyberattack campaign has emerged, targeting unsuspecting users by distributing a counterfeit version of the widely used 7-Zip file archiving software. This malicious operation aims to covertly transform home computers into nodes within a residential proxy network, enabling cybercriminals to route their activities through compromised systems.
Deceptive Distribution Tactics
The attackers have set up a fraudulent website, 7zip[.]com, which closely resembles the legitimate 7-zip.org site. Unsuspecting users are lured into downloading a compromised installer that appears to function as the genuine 7-Zip software but secretly installs harmful components.
The threat came to light when a Reddit user shared their experience in the r/pcmasterrace community. While following a YouTube tutorial for building a new PC, they were directed to download 7-Zip from the deceptive domain. After installing the software on both a laptop and a newly assembled desktop via USB transfer, the user encountered persistent compatibility errors but continued using the system. Nearly two weeks later, Microsoft Defender flagged the infection with a generic trojan detection, revealing the hidden compromise.
Malware Deployment and Persistence
Analysts at Malwarebytes identified that the fake installer delivers a fully operational copy of 7-Zip File Manager alongside three concealed malicious components: Uphero.exe, hero.exe, and hero.dll. These files are installed into the privileged C:\Windows\SysWOW64\hero\ directory, a location rarely inspected by typical users. The installer itself carries an Authenticode signature issued to Jozeal Network Technology Co., Limited, though the certificate has since been revoked. This digital signature initially provided a false sense of legitimacy, helping the malware evade immediate suspicion during installation.
Once deployed, the malware establishes deep persistence by registering both Uphero.exe and hero.exe as Windows services that automatically launch with SYSTEM-level privileges at every boot. It manipulates firewall rules through netsh commands, removing existing protections and creating new inbound and outbound exceptions to ensure uninterrupted network communication. The malware also conducts extensive host profiling, collecting hardware identifiers, memory specifications, CPU details, disk attributes, and network configurations, which are then transmitted to external servers such as iplogger[.]org.
Infection Mechanism and Residential Proxy Infrastructure
The core functionality of this malware revolves around transforming infected machines into nodes within a residential proxy network. The hero.exe component retrieves configuration instructions from rotating command-and-control servers using “smshero”-themed domain names, including soc.hero-sms[.]co, neo.herosms[.]co, flux.smshero[.]co, and nova.smshero[.]ai. These domains are typically fronted by Cloudflare infrastructure and communicate over encrypted HTTPS channels, making detection considerably more challenging.
Traffic analysis conducted by security researchers revealed that the malware uses a lightweight XOR-encoded protocol with the key 0x70 to obscure control messages. It establishes outbound proxy connections on non-standard ports such as 1000 and 1002, allowing third parties to route internet traffic through the victim’s IP address. This infrastructure is characteristic of residential proxy services, where access to genuine consumer IP addresses is monetized for activities including fraud, web scraping, ad abuse, and anonymity laundering. The malware also employs DNS-over-HTTPS through Google’s resolver, further reducing visibility for traditional network monitoring tools.
Implications and Recommendations
Users who have downloaded installers from 7zip[.]com should treat their systems as compromised. Security software like Malwarebytes can detect and remove known variants of this threat. However, in high-risk scenarios, some users may opt for a complete operating system reinstallation to ensure the system’s integrity.
To prevent such infections, users are advised to:
– Download Software from Official Sources: Always obtain software from the developer’s official website or trusted platforms.
– Verify Digital Signatures: Check the authenticity of software by verifying its digital signature and certificate details.
– Maintain Updated Security Software: Keep antivirus and anti-malware programs up to date to detect and block emerging threats.
– Be Cautious with Search Results: Cybercriminals often use search engine manipulation to promote malicious sites. Exercise caution and verify URLs before downloading software.
By adhering to these practices, users can significantly reduce the risk of falling victim to such deceptive campaigns.
