Trojanized 7-Zip Installers Hijack Home PCs into Secret Proxy Botnets: What You Need to Know
Trojanized 7-Zip Installers Hijack Home PCs into Secret Proxy Botnets: What You Need to Know
Cybercriminals have launched a sophisticated malware campaign using a fake 7-Zip website at 7zip[.]com to distribute trojanized installers, secretly turning infected home computers into residential proxy nodes for illicit traffic routing and command-and-control operations. First exposed in early February 2026 via a Reddit user’s alarming discovery, this threat exploits trust in the popular open-source archiving tool, affecting users worldwide who mistakenly download from the imposter site instead of the legitimate 7-zip.org.
The Attack: How Trojanized 7-Zip Installers Work
The malicious operation centers on 7zip[.]com, a lookalike domain mimicking the official 7-zip.org site, which served compromised installers from at least January 12-22, 2026, before wider detection. These installers appear legitimate, featuring an Authenticode-signed certificate (now revoked) from Jozeal Network Technology Co., Limited, and deploy a fully functional 7-Zip File Manager to avoid suspicion.
Upon execution, the trojan silently drops additional Golang-compiled payloads including Uphero.exe, hero.exe, and hero.dll into C:\Windows\SysWOW64\hero, requiring elevated privileges for deep system integration. These components establish persistence as Windows services, manipulate firewall rules via netsh commands, and connect to encrypted HTTPS C2 servers for proxy operations.
The malware includes advanced evasion tactics:
- Virtual machine detection for VMware, VirtualBox, QEMU, and Parallels.
- Anti-debugging checks, runtime API resolution, and process enumeration.
- Cryptographic support like AES, RC4, Camellia, and XOR for traffic protection.
This campaign links to a broader proxyware network, with related binaries named upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical TTPs for residential botnet expansion. The infection often spreads via misleading YouTube tutorials or USB transfers, as seen in the Reddit incident where Microsoft Defender later flagged a Trojan:Win32/Malgent!MSR.
The Impact: Who Gets Hit and Why It Matters
Primarily targeting home users, developers, and enterprises seeking quick 7-Zip downloads from unverified mirrors, the malware transforms victims’ PCs into unwitting proxy nodes, routing cybercriminals’ traffic through residential IPs to evade detection. This compromises personal privacy, enables scams, DDoS attacks, or access to restricted enterprise VPNs, and risks legal repercussions for owners whose IPs appear in malicious activities.
Infected systems face long-term unauthorized use, with stealthy persistence allowing operators to harvest bandwidth indefinitely. Enterprises are particularly vulnerable if staff download from fake sites, potentially exposing internal networks to C2 communications and proxy abuse. Malwarebytes warns that any system running 7zip[.]com installers is compromised, amplifying risks in a campaign active for months.
Mitigation: Steps to Protect Against 7-Zip Proxy Malware
To stay safe, always download 7-Zip exclusively from the official 7-zip.org and bookmark it to avoid typosquatting traps. Verify code-signing certificates and treat unexpected identities with skepticism.
Key defenses include:
- Scan systems with reputable tools like Microsoft Defender or Malwarebytes for trojan indicators.
- Monitor for unauthorized Windows services, SysWOW64 changes, and netsh firewall rules.
- Block known C2 domains and proxy endpoints at the network perimeter.
- Enable real-time antivirus, avoid USB transfers from untrusted sources, and scrutinize YouTube tutorials.
For enterprises, implement endpoint detection for Go-based binaries and residential proxy behaviors. If infected, isolate the system, remove malicious services, and wipe if necessary.
Conclusion
This 7-Zip trojan campaign underscores the dangers of brand impersonation and domain confusion, turning trusted tools into gateways for proxy botnets. By prioritizing official sources and vigilant monitoring, users and organizations can thwart these stealthy threats, safeguarding systems from covert exploitation in an era of rising malware sophistication.