A convincing lookalike of the popular 7-Zip archiver site has been silently turning victims’ machines into residential proxy nodes.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A fake 7-Zip website (7zip.com) has been distributing trojanized installers that convert infected Windows machines into residential proxy nodes. The malware, signed with a revoked certificate, installs a functional 7-Zip alongside hidden components (Uphero.exe, hero.exe, hero.dll) that establish system-level persistence, manipulate firewall rules, and route third-party traffic through victims' IP addresses for monetization. The campaign exploits trust in YouTube tutorials and software distribution channels, with related variants targeting other popular applications. Security researchers identified the malware as part of a broader proxyware operation using encrypted C2 infrastructure and anti-analysis techniques.

Fake 7-Zip downloads are turning home PCs into proxy nodes

A trojanized installer masquerading as legitimate software

Execution flow: from installer to persistent proxy service

Functional goal: residential proxy monetization

Shared tooling across multiple fake installers

Rotating infrastructure and encrypted transport

Researcher attribution and community analysis