7-Zip false downloads: so your PC could become a residential proxy

It has recently launched a suplanting campaign that uses as a hook a malicious installer that appears to be 7-Zip, the famous compression program. Instead of simply including the legitimate application, the downloadable package hides a malicious component whose main objective is not to steal files or to cipher disks, but to convert the victim's PC into a residential proxy node that links foreign traffic through its connection.

The research published by Malharebytes details the operation of the trotted installer: in addition to installing 7-Zip real to avoid raising suspicion, the installer leaves three malicious executables in the system (including files identified as Uphero.exe, hero.exe and hero.dll) inside C:\ Windows\ SysWOW64\ hero\, creates an automatic start-up service that runs with SYSTEM privileges and modifies firewall rules through netsh utility to accept incoming and outgoing connections. This configuration allows attackers to direct traffic through the IP of the infected machine, making the team part of a network of home proxies.

This type of proxyware has legitimate uses in some distributed traffic networks, but in the hands of criminals it serves to hide the source of attacks, evade geographical blockages, mount stuffing credental campaigns, distribute phishing or spread malware. In the case analysed, operators also collect target machine information using WMI and calls to Windows APIs - CPU information, memory, disk and connectivity - and send these data to a remote registration service to catalogue and manage the recruited nodes.

Technical analyses show that the main executable requests configuration from domains with "hero / smshero" patterns that rotate, and that the control communication is encrypted and ostrated with a light XOR scheme. The traffic is directed through the Cloudflare infrastructure and travels over HTTPS, as well as using DNS over HTTPS with the Google resolver, which reduces the visibility of traditional DNS consultations and complicates the detection by defenders that monitor normal resolutions. It also incorporates checks to detect virtualized environments (VMware, VirtualBox, QEMU, Parallels) and debugging, typical behavior to avoid being analyzed in forensic laboratories.

Those who investigated and gave the alarm voice include several independent researchers and DFIR teams: finding the actual purpose of malware is documented by Luke Acha, while the reversal of the XOR protocol and the confirmation of proxy behavior are attributed to technical publications linked from X-profiles such as those of s1dhy and the correlation with a wider campaign was commented by Andrew Danis. In addition, means such as BleepingComputer They corroborated the existence of the fake site that is posted on the official 7-Zip website.

An important detail for the chain of trust: the malicious installer was digitally signed with a certificate that was later revoked, originally issued to Jozeal Network Technology Co., Limited. The presence of a firm does not guarantee automatic safety, but reviewing digital signatures and contrasting them with the official project website is one of the basic checks that can save problems.

The worrying thing is that the campaign is not limited to the 7-Zip supplanting. According to the analysis, attackers use stranded installers posing as other popular applications, such as VPN customers and messaging apps, in order to expand their network of proxy nodes. The recruitment of devices is used as social engineering tactics: links in tutorials and videos on platforms such as YouTube or promoted results in search engines that point to domains that mimic the originals.

To reduce risk, it is appropriate to recover some simple practices: download software always from official pages (for example, the legitimate 7-Zip website is on https: / / www.7-zip.org), save in favorites the trusted portals and distrust links anchored in video descriptions or in ads. If a suspicious installer has already been executed, it is recommended to disconnect the machine from the network, to review the existence of folders and services with the names indicated, to inspect firewall rules and to search for unusual outgoing communications; to obtain compromise indicators and more technical details you can see the Malharebytes publication mentioned above.

If you think your equipment has been compromised, the most secure measure is to isolate it and use professional support: complete removal in many cases involves restoring from a clean backup or reinstalling the operating system, because malicious services that start with SYSTEM and network modifications can leave back doors difficult to eradicate with surface cleaners.

In short, this campaign recalls that the attackers combine social engineering with obfuscation techniques and with a modern command and control infrastructure to convert domestic equipment into exploitable resources. Maintaining up-to-date software, verifying sources and signatures, and using technical information published by researchers and cybersecurity companies - such as the reports linked here - are practical steps to reduce the likelihood of being one more piece in a home proxy network.