Hackers Weaponize 7-Zip Downloads to Build Home Proxy Botnet

A simple domain mix-up has turned into a high-impact malware campaign that converts home computers into residential proxy nodes.

The incident surfaced after a PC builder posted on Reddit’s r/pcmasterrace, admitting they downloaded 7-Zip from 7zip[.]com instead of the legitimate project site 7-zip.org.

Following a YouTube tutorial, the user installed the file on a laptop, then moved it via USB to a newly built desktop.

After seeing repeated 32-bit versus 64-bit errors, they abandoned the installer and relied on Windows’ built-in extraction tools.

Nearly two weeks later, Microsoft Defender raised a generic alert (Trojan: Win32/Malgent!MSR), illustrating how a small mistake in software sourcing can lead to long-lived unauthorized system use.

This was not a crude fake download. The operators behind 7zip[.]Com delivered a trojanized installer that included a functional copy of 7-Zip File Manager to avoid suspicion, while silently deploying additional malware.

The installer was Authenticode-signed with a certificate issued to Jozeal Network Technology Co., Limited (now revoked), which gave it a superficial level of credibility.

In the background, it dropped Uphero.exe (service manager/update loader), hero.exe (the main Go-compiled proxy payload), and hero.dll (supporting library) into a privileged path: C:WindowsSysWOW64hero.

Researchers also observed a separate update channel at update.7zip[.]com/…/Uphero.exe.zip, suggesting the malware can be updated independently of the installer.

Behavioral analysis shows a clear infection chain designed for persistence and reliable network operation. First, the payload installs into SysWOW64, implying elevated privileges and deep OS integration.

Next, it registers Windows services for Uphero.exe and hero.exe to auto-start at boot under SYSTEM privileges.

It then manipulates firewall rules using netsh, removing existing rules and creating new allow rules for inbound and outbound traffic tied to its binaries.

The malware profiles the host via WMI and Windows APIs collecting hardware and network characteristics and reports metadata through endpoints associated with services like iplogger[.]org, indicating device/network reporting as part of proxy enrollment.

The primary goal is residential proxy monetization. Rather than behaving like a classic backdoor, hero.exe pulls configuration from rotating “smshero”/“hero” themed command-and-control domains, then opens outbound proxy connections over non-standard ports such as 1000 and 1002.

Traffic analysis indicates a lightweight XOR-based protocol (key 0x70) used to obscure control messages, alongside encrypted HTTPS transport often fronted by Cloudflare.

This is consistent with commercial-style residential proxy networks where access to real consumer IP addresses is sold for scraping, ad fraud, account abuse, or anonymity laundering.

Researchers note that the 7-Zip impersonation is part of a broader operation that uses shared tooling across multiple fake installers, with related binaries appearing under names such as upHola.exe, upTiktok, upWhatsapp, and upWire.

These variants reuse the same playbook: SysWOW64 deployment, service persistence, firewall manipulation, encrypted C2, and common strings suggesting a unified backend.

The malware also includes evasion features such as VM detection (VMware/VirtualBox/QEMU/Parallels), anti-debug checks, runtime API resolution, environment inspection, and extensive crypto support (AES, RC4, Camellia, XOR, Base64).

It further reduces network visibility by using DNS-over-HTTPS via Google’s resolver. Defenders should treat any system that executed installers from 7zip[.]com as potentially compromised.

Key indicators include the presence of files at C:WindowsSysWOW64heroUphero.exe, …hero.exe, and …hero.dll, Windows services pointing to that directory, firewall rules named “Uphero” or “hero,” and the mutex Global3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7.

According to Malwarebytes, practical prevention steps include bookmarking official software sites, avoiding “download” links from search results or random tutorials, and monitoring for unexpected Windows services and firewall changes.

This campaign shows how attackers can build profitable botnets without exploiting software bugs by exploiting trust, brand recognition, and small errors in where users click.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Weaponize 7-Zip Downloads to Build Home Proxy Botnet appeared first on Cyber Security News.