A trojanized installer delivers the real app while secretly enrolling victims into a covert traffic network.
The Impersonation Trap
Attackers have launched a convincing clone of the legitimate 7-Zip download site. The rogue domain mimics the layout and text of the real project, making it easy for users to trust what they see.
Victims often arrive while following tutorials or search results. Once they download the installer, everything appears normal. The archive utility works as expected, which lowers suspicion.
Behind the scenes, the system becomes something very different.
What Researchers Discovered
Analysts at Malwarebytes examined the installer and uncovered a hidden payload. Although the certificate used to sign the file has since been revoked, it previously helped the malware appear legitimate.
The installer drops three components into the Windows system directory:
- Uphero.exe – service and update manager
- hero.exe – primary proxy engine
- hero.dll – supporting library
The malware then creates an auto-start service running with SYSTEM privileges. It also modifies firewall rules to allow inbound and outbound communication.
Your Internet Becomes Their Infrastructure
Instead of stealing files immediately, the malware focuses on monetization through proxyware. The infected computer joins a residential proxy network, allowing third parties to route traffic through the victim’s IP address.
Criminal customers use these networks for:
- Credential stuffing
- Phishing campaigns
- Ad fraud
- Malware distribution
As a result, abuse may trace back to the victim rather than the real operator.
Command and Control Techniques
Investigators observed the malware retrieving configuration data from rotating domains themed around “smshero.” It then establishes outbound sessions on unusual ports such as 1000 and 1002.
Operators protect communications using TLS and lightweight obfuscation. Additionally, the malware uses DNS-over-HTTPS through Google’s resolver, which reduces visibility for defenders who rely on traditional DNS monitoring.
Built to Evade Analysis
The payload actively searches for virtual machines and debugging environments. It checks for platforms such as VMware and VirtualBox. If it suspects analysis, it alters behavior.
This tactic helps attackers keep the operation stable and profitable.
A Larger Brand Impersonation Campaign
Researchers believe the fake 7-Zip lure represents only part of the infrastructure. The same operation distributes trojanized installers impersonating popular applications like VPN and messaging software.
By rotating brands, attackers widen their reach and continuously find new victims.
Why This Matters to Enterprises
Residential proxy malware rarely triggers immediate alarms. However, it can expose organizations to reputational risk, legal inquiries, and secondary compromise.
If an employee machine participates in malicious routing, investigators may initially see activity coming from a trusted corporate address space.
How Users Can Stay Safe
Security experts recommend downloading software only from official sources. Bookmark trusted vendor domains instead of relying on links from videos or advertisements.
Meanwhile, organizations should monitor unusual outbound connections, unauthorized services, and unexpected firewall modifications.
The Bigger Lesson
Attackers increasingly combine legitimate functionality with hidden abuse. Victims receive the tool they wanted, yet criminals gain infrastructure.
That balance makes detection harder and reinforces why visibility beyond simple malware signatures is essential.