A fraudulent campaign that uses a fake version of the popular 7-Zip file archiving program to covertly turn home computers into residential proxy nodes has surfaced, aimed at gullible users This article explores malware phony. . The malicious operation uses 7zip[.

]com, a lookalike domain that closely resembles the authentic 7-zip.org website, to fool users into downloading a compromised installer that looks completely up and running while hiding harmful malware components. A Reddit user's disturbing experience in the r/pcmasterrace community brought the threat to the public's attention. They were instructed to download 7-Zip from the phony domain while following a YouTube tutorial for building a new PC.

The user continued to use the system despite persistent compatibility issues after installing the software via USB transfer on a laptop and a freshly assembled desktop. Before Microsoft Defender detected the infection with a generic trojan detection and exposed the hidden compromise, almost two weeks had gone by. According to Malwarebytes analysts, the phony installer includes three hidden malicious components—Uphero.exe, hero.exe, and hero.dll—along with a fully functional copy of 7-Zip File Manager.

The privileged C:\Windows\SysWOW64\hero\ directory, which is rarely visited by ordinary users, is where these files are installed. Although the certificate has since been revoked, the installer itself bears an Authenticode signature that was granted to Jozeal Network Technology Co., Limited.

At first, this digital signature gave the malware a phony sense of legitimacy, enabling it to avoid detection right away during installation. By registering Uphero.exe and hero.exe as Windows services that start automatically with SYSTEM-level privileges at every boot, the malware creates deep persistence after it has been deployed. In order to guarantee continuous network communication, it uses netsh commands to modify firewall rules, eliminating current safeguards and adding new inbound and outbound exceptions.

In-depth host profiling is also carried out by the malware, which gathers hardware identifiers, memory specifications, CPU information, disk attributes, and network configurations before sending them to outside servers like iplogger[.]org. Mechanism of Infection and Infrastructure of Residential Proxy This malware's primary function is to turn compromised computers into nodes in a home proxy network.

The hero.exe component uses "smshero"-themed domain names, such as soc.hero-sms[. ]co, neo.herosms[. ]co, flux.smshero[.

]co, and nova.smshero[. ]ai, to retrieve configuration instructions from rotating command-and-control servers. These domains communicate over encrypted HTTPS channels and are usually fronted by Cloudflare infrastructure, which makes detection much more difficult. Security researchers' traffic analysis showed that the malware obfuscates control messages using a lightweight XOR-encoded protocol with the key 0x70.

By setting up outgoing proxy connections on unusual ports like 1000 and 1002, it enables outside parties to reroute internet traffic via the victim's IP address. This infrastructure is typical of residential proxy services, which monetize access to real consumer IP addresses for purposes such as fraud, web scraping, ad abuse, and anonymity laundering.

Additionally, the malware uses DNS-over-HTTPS via Google's resolver, which makes it even less visible to conventional network monitoring tools. Installers downloaded from 7zip[. ]com should be regarded as compromised.

Malwarebytes and other security software can identify and eliminate known variations of this threat. To guarantee complete removal in high-risk situations, some users might choose to perform a full operating system reinstallation. To protect against such attacks, users should verify software sources by bookmarking official project domains, treat unexpected code-signing identities with skepticism, and monitor systems for unauthorized Windows services or firewall modifications. To stop communication with malicious infrastructure, network administrators should block proxy endpoints and known command-and-control domains at the network perimeter.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.