Hackers are using a cleverly disguised fake download site to trick unsuspecting users into installing malware that turns ordinary Windows PCs into residential proxy nodes. This campaign has been active for some time, luring victims by impersonating one of the most trusted and widely used file-compression tools on the internet.

A Simple Mistake, Serious Consequences

The issue came into the spotlight when a PC enthusiast shared their experience on Reddit after a YouTube tutorial directed them to a bogus site called 7zip[.]com. Unbeknownst to them, the official 7-Zip download page is hosted only on 7-zip[.]org, and the similar domain name tricked them into grabbing a malicious installer.

Initially, the installer behaved strangely with errors while installing, and the user switched to built-in Windows tools instead. But days later, Microsoft Defender flagged the system with a Trojan detection. This shows how a seemingly minor domain mix-up — especially one amplified by popular videos — can lead to long-lasting system compromise.

Trojan Disguised as Legitimate Software

This is more than just a rogue download hosted somewhere on the internet. The fake 7-Zip installer actually contains trojanized code: it installs a real copy of the 7-Zip File Manager, but it also drops hidden malicious components that are never displayed to the user.

The installer is even digitally signed, giving it a veneer of authenticity — though the certificate used has since been revoked. Alongside the usable 7-Zip app, the malware installs three hidden files deep inside the Windows System folder:

• Uphero.exe – a system service manager and automatic updater
• hero.exe – the main malicious proxy module
• hero.dll – a supporting library file

These files are stored in C:\Windows\SysWOW64\hero\, a location most users don’t look at. The malware also reaches out to its own update server to pull newer versions of its components — independent of the installer itself.

How the Infection Works

Once installed, the malware follows a structured process to take over the host:

1. Installation and File Deployment: The malicious service files are placed into the SysWOW64 system directory.
2. Persistence: The malware registers itself as Windows services so it will automatically start on every boot.
3. Firewall Tampering: It changes Windows firewall rules to make sure its own binaries can communicate without interruption.
4. System Profiling: It collects hardware, network, and system information and reports it back to its command servers — even using third-party services to log IP and device details.

What the Malware Actually Does

The ultimate function of this malware is not to steal files or ransom your system — but to turn it into part of a residential proxy network. Infected machines act like exit nodes for internet traffic, letting third parties route data through the victim’s internet connection.

This behavior is typical of proxyware: real IP addresses from regular home PCs are valuable because they blend into normal internet traffic. Such infrastructure can be monetized for web scraping, fraud, anonymity services, or bypassing geolocation restrictions.

A Broader Campaign

Researchers have found similar malicious installers posing as other popular applications — including clones named upHola, upTikTok, and upWhatsApp — all following the same malicious pattern. These fake installers use identical persistence methods and connect to varied command-and-control infrastructures to support ongoing proxy services.

Stealth and Network Evasion

The malware is built to avoid detection and analysis:

• It checks if it’s running in a virtual machine environment (a common sandbox setup) and behaves differently to evade analysis tools.
• It uses encrypted connections with multiple hard-coded command servers, often hidden behind legitimate cloud services.
• DNS-over-HTTPS is used to cover its tracks, making network monitoring harder.

What You Can Do

If you’ve ever downloaded software from the fake 7zip[.]com site, assume your system might be compromised and take immediate action. Thankfully, mainstream security tools — including Malwarebytes — can detect and remove the threat, eliminate persistence mechanisms, and restore system configurations.

However, extremely cautious users or those running sensitive environments might choose a full operating system reinstall for absolute certainty.

Practical safety tips:

• Always download software from official project domains or trusted repositories.
• Bookmark legitimate software sites to avoid typosquatting.
• Pay attention to unexpected digital certificates or unknown Windows services.
• Monitor your system’s firewall rules and network activity for unusual changes.

Why This Matters

This fake 7-Zip campaign is a stark reminder that cybercriminals don’t always rely on zero-day exploits or flashy ransomware. Sometimes trust alone is enough to infect thousands of devices — if users aren’t careful about where they download software.