Full Report
A fake 7-Zip website is distributing a trojanized installer of the popular archiving tool that turns the user's computer into a residential proxy node. [...]
Analysis Summary
# Incident Report: Fake 7-Zip Installation Leading to Proxy Hijacking
## Executive Summary
A threat actor registered and operated a fraudulent website impersonating the legitimate 7-Zip download page, distributing a trojanized installer. Upon execution, this installer deployed proxyware, turning the victim's machine into a residential proxy node for malicious routing activities. The compromise was discovered through independent security researcher analysis, leading to public disclosure of the technique used to trick users, primarily following links from third-party video tutorials.
## Incident Details
- **Discovery Date:** Early February 2026 (Implied, following researcher analysis)
- **Incident Date:** Campaign active prior to February 10, 2026
- **Affected Organization:** Individual end-users downloading software from the malicious domain.
- **Sector:** General Consumers/End-Users downloading standard utility software.
- **Geography:** Not specified, though end-users globally are targeted.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to Feb 10, 2026
- **Vector:** Malicious Website Download (Pharming/Typosquatting)
- **Details:** Threat actors registered the domain `7zip[.]com` (mimicking the legitimate `7-zip.org`), copying the original site's structure. Users were reportedly directed to this site via instructions found in YouTube tutorials.
### Lateral Movement
- **Details:** Lateral movement was reportedly not the primary goal. The malware focuses on establishing persistence on the infected host to function as a proxy node.
### Data Exfiltration/Impact
- **Details:** Not a data exfiltration campaign, but rather an impact where the host system's identity (IP address) and resources are utilized covertly. The system is repurposed as a residential proxy node to facilitate external malicious activities like credential stuffing and phishing. System characteristics (Hardware, Memory, CPU, Disk, Network) are profiled and sent to an external logger.
### Detection & Response
- **Details:** The incident was uncovered as independent security researchers (Luke Acha, s1dhy, Andrew Danis) analyzed suspicious software and exposed the proxy behavior and the association with the fake 7-Zip installer. Malwarebytes subsequently published a detailed analysis.
## Attack Methodology
- **Initial Access:** Drive-by download via a convincing, cloned website (`7zip[.]com`).
- **Persistence:** Creation of an auto-start Windows service running as `SYSTEM` configured for two malicious executables (`Uphero.exe` and `hero.exe`).
- **Privilege Escalation:** Ability to run as `SYSTEM` via service installation.
- **Defense Evasion:**
* Modifying Windows Firewall rules via `netsh` for outbound connections.
* Utilizing DNS-over-HTTPS (DoH) via Google’s resolver to evade standard DNS monitoring.
* Checking for virtualization platforms (VMware, VirtualBox, etc.) and debuggers to avoid analysis.
- **Credential Access:** Not explicitly detailed, but the resulting proxy network is used for activities like credential stuffing.
- **Discovery:** Profiling the host system using WMI and Windows APIs to gather detailed hardware/system specs.
- **Lateral Movement:** Not the primary function.
- **Collection:** Collecting system configuration data.
- **Exfiltration:** Sending profiled system data to `iplogger[.]org` and establishing command-and-control (C2) communication.
- **Impact:** Conversion of the victim's machine into a residential proxy node for third-party traffic routing.
## Impact Assessment
- **Financial:** Not specified, incurred by victims through potential misuse of their IP reputation, or by organizations targeted by proxy-facilitated attacks.
- **Data Breach:** No direct user data exfiltration confirmed, but sensitive system configuration data was sent externally.
- **Operational:** Moderate operational impact on the victim machine due to background service execution and network bandwidth usage/repurposing.
- **Reputational:** Potential reputational damage to the legitimate 7-Zip project due to association with the malicious activity.
## Indicators of Compromise
- **Network Indicators (Defanged):**
* C2 communication utilizing rotating domains themed around `hero` or `smshero`.
* Outbound proxy connections on non-standard ports (e.g., 1000, 1002).
* Use of TLS-encrypted HTTPS traffic routed through Cloudflare infrastructure.
* Use of DoH pointing to Google's resolver.
* Initial beacon to `iplogger[.]org`.
- **File Indicators:**
* Malicious files placed in: `C:\Windows\SysWOW64\hero\`
* Files: `Uphero.exe`, `hero.exe`, `hero.dll`
* Installer digitally signed with a certificate issued to Jozeal Network Technology Co., Limited (now revoked).
- **Behavioral Indicators:**
* Creation of an auto-start Windows service running under the `SYSTEM` account.
* Modification of firewall rules using `netsh` to permit outbound/inbound connections.
* Execution of proxy service on non-standard ports.
## Response Actions
- **Containment Measures:** Not explicitly detailed, but implied remediation involves stopping the malicious service, deleting associated files, and restoring firewall rules.
- **Eradication Steps:** Identifying and removing the trojanized installer and the three malicious files from the system directory.
- **Recovery Actions:** Restoring modified network configurations (firewall rules) and potentially re-imaging systems confirmed to be compromised.
## Lessons Learned
- **Key Takeaways:** Threat actors are actively using high-profile, legitimate software (like 7-Zip) as a lure via convincing website cloning to deploy sophisticated proxyware, rather than just traditional malware. The use of DoH and Cloudflare adds complexity to traditional network monitoring for DGA/C2 traffic.
- **What could have been done better:** Users need heightened awareness regarding following software download links found outside of official, bookmarked sites, especially from third-party tutorials.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. **Bookmark Verification:** Users should bookmark the official software download domains (e.g., `7-zip.org`) and avoid relying on search engine results or instructional video links for critical software downloads.
2. **Digital Signature Verification:** Security tools should prioritize verification of digital signatures on executable installers against known legitimate publishers.
3. **Network Monitoring Enhancements:** Implement advanced network monitoring techniques capable of detecting DNS-over-HTTPS (DoH) traffic and beaconing behavior on unusual proxy ports.
4. **Application Control:** Employ strict application control policies, especially concerning creating new system services running as SYSTEM.
- **Broader Scope:** Note that this campaign targets users of other software too (HolaVPN, TikTok, WhatsApp, Wire VPN), necessitating broad awareness campaigns regarding vendors being impersonated.