Hackers Weaponize 7-Zip Downloads to Turn Home PCs Into Proxy Nodes

A fake website impersonating the popular 7-Zip file archiver has been distributing malicious software that secretly converts infected computers into residential proxy nodes.

The counterfeit site has been operating undetected for an extended period, exploiting user trust in what appears to be legitimate software.

The scam begins when users accidentally visit 7zip[.]com instead of the official 7-zip.org website, often due to following online tutorials that incorrectly reference the fake domain.

One victim recently shared their experience on Reddit after downloading what they believed was genuine 7-Zip software for a new PC build.

The malicious installer is convincing, as it is digitally signed with a certificate and actually installs a working version of 7-Zip.

However, it secretly adds three hidden components to the system: Uphero.exe, hero.exe, and hero.dll, which hide in a Windows system folder that most users never access.

What the Malware Does

Once installed, the malware transforms the computer into a residential proxy server, allowing other people to route their internet traffic through the infected computer’s IP address without knowledge or permission.

Cybercriminals value these residential proxies for activities like web scraping, fraud, bypassing geographic restrictions, and hiding their true location.

The software registers itself as a Windows service that starts automatically every time the computer boots, and it also modifies firewall settings to allow its traffic and collects information about the system, including hardware details and network configuration.

All communication with command-and-control servers happens through encrypted channels, making detection more difficult.

The malware is sophisticated in avoiding detection, as it can identify if it’s running in a virtual machine used by security researchers and includes anti-debugging features.

The software uses multiple encryption methods to protect its configuration and communications, including AES, RC4, and custom XOR encoding.

Investigators discovered the malware updates itself independently through a separate channel, allowing attackers to modify its behavior without requiring victims to download anything new.

All variants share identical installation methods, persistence techniques, and network behavior, suggesting a coordinated effort by the same threat actors.

This fake 7-Zip installer appears connected to a broader operation, as security researchers found similar malware disguised as other applications, including VPN software and messaging apps.

Network analysis revealed connections to multiple control servers with names following the “smshero” pattern, all protected by Cloudflare’s infrastructure.

The campaign exploits YouTube tutorials and educational content, where creators inadvertently direct viewers to the wrong domain, transforming trusted learning resources into unintentional malware distribution channels.

Protecting Yourself

If you’ve downloaded 7-Zip from 7zip[.]com, your computer is likely compromised, and security software like Malwarebytes can detect and remove the malware, although some users may prefer reinstalling their operating system for complete peace of mind.

To stay safe, always verify you’re downloading software from official websites, double-check domain names carefully, and be suspicious of unexpected code-signing identities, monitor for unauthorized Windows services, and watch for unexplained firewall rule changes.

Independent security researchers Luke Acha, s1dhy, and Andrew Danis deserve recognition for uncovering this campaign, which revealed the malware’s true purpose as residential proxyware rather than a traditional backdoor.

Additional validation came from RaichuLab and WizSafe Security, demonstrating how collaborative security research helps expose long-running threats.

This incident shows how attackers exploit human trust rather than technical vulnerabilities, bypassing traditional security measures and creating persistent revenue streams through unauthorized proxy services.

Indicators of Compromise (IOCs)

Network Indicators

Domain Notes / Context
soc.hero-sms[.]co Potentially Command & Control (C2) infrastructure
neo.herosms[.]co Associated with the “hero” SMS naming pattern
flux.smshero[.]co Associated with the “hero” SMS naming pattern
nova.smshero[.]ai Associated with the “hero” SMS naming pattern
apex.herosms[.]ai Associated with the “hero” SMS naming pattern
spark.herosms[.]io Associated with the “hero” SMS naming pattern
zest.hero-sms[.]ai Associated with the “hero” SMS naming pattern
prime.herosms[.]vip Associated with the “hero” SMS naming pattern
vivid.smshero[.]vip Associated with the “hero” SMS naming pattern
mint.smshero[.]com Associated with the “hero” SMS naming pattern
pulse.herosms[.]cc Associated with the “hero” SMS naming pattern
glide.smshero[.]cc Associated with the “hero” SMS naming pattern
svc.ha-teams.office[.]com Likely masquerading as legitimate Microsoft Office traffic
iplogger[.]org Common IP tracking service often used for reconnaissance
File Name File Path SHA-256 Hash
Uphero.exe C:\Windows\SysWOW64\hero\Uphero.exe e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027
hero.exe C:\Windows\SysWOW64\hero\hero.exe b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894
hero.dll C:\Windows\SysWOW64\hero\hero.dll 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9

Related Articles

Back to top button