A fake website impersonating the popular 7-Zip file archiver has been distributing malicious software that secretly converts infected computers into residential proxy nodes.
The counterfeit site has been operating undetected for an extended period, exploiting user trust in what appears to be legitimate software.
The scam begins when users accidentally visit 7zip[.]com instead of the official 7-zip.org website. This mistake often happens when following online tutorials that incorrectly reference the fake domain.
One victim recently shared their experience on Reddit after downloading what they believed was genuine 7-Zip software for a new PC build.
The malicious installer looks convincing because it’s digitally signed with a certificate and actually installs a working version of 7-Zip.
However, it secretly adds three hidden components to your system: Uphero.exe, hero.exe, and hero.dll. These files hide in a Windows system folder that most users never look in.
What the Malware Does
Once installed, the malware transforms your computer into a residential proxy server. This means other people can route their internet traffic through your IP address without your knowledge or permission.
Cybercriminals value these residential proxies for activities like web scraping, fraud, bypassing geographic restrictions, and hiding their true location.
The software registers itself as a Windows service that starts automatically every time you boot your computer.
It also modifies your firewall settings to allow its traffic and collects information about your system, including hardware details and network configuration.
All communication with command-and-control servers happens through encrypted channels, making detection more difficult.
The malware is sophisticated in avoiding detection. It can identify if it’s running in a virtual machine used by security researchers and includes anti-debugging features.
The software uses multiple encryption methods to protect its configuration and communications, including AES, RC4, and custom XOR encoding.
Investigators discovered the malware updates itself independently through a separate channel, allowing attackers to modify its behavior without requiring victims to download anything new.
All variants share identical installation methods, persistence techniques, and network behavior, suggesting a coordinated effort by the same threat actors.
This fake 7-Zip installer appears connected to a broader operation. Security researchers found similar malware disguised as other applications, including VPN software and messaging apps.
Network analysis revealed connections to multiple control servers with names following “smshero” patterns, all Network analysis revealed connections to multiple control servers with names following “smshero” patterns, all protected by Cloudflare’s infrastructure..
The campaign particularly exploits YouTube tutorials and educational content where creators inadvertently direct viewers to the wrong domain. This transforms trusted learning resources into unintentional malware distribution channels.
Protecting Yourself
If you’ve downloaded 7-Zip from 7zip[.]com, your computer is likely compromised. Security software like Malwarebytes can detect and remove the malware, though some users may prefer reinstalling their operating system for complete peace of mind.
To stay safe, always verify you’re downloading software from official websites. Double-check domain names carefully, as attackers often register similar-looking addresses.
Be suspicious of unexpected code-signing identities, monitor for unauthorized Windows services, and watch for unexplained firewall rule changes.
Independent security researchers Luke Acha, s1dhy, and Andrew Danis deserve recognition for uncovering this campaign.
Their detailed analysis revealed the malware’s true purpose as residential proxyware rather than a traditional backdoor.
Additional validation came from RaichuLab and WizSafe Security, demonstrating how collaborative security research helps expose long-running threats.
This incident shows how attackers exploit human trust rather than technical vulnerabilities. By impersonating legitimate software with functional installers, they bypass traditional security measures and create persistent revenue streams through unauthorized proxy services.
Indicators of Compromise (IOCs)
Network Indicators
| Domain | Notes / Context |
|---|---|
soc.hero-sms[.]co | Potentially Command & Control (C2) infrastructure |
neo.herosms[.]co | Associated with the “hero” SMS naming pattern |
flux.smshero[.]co | Associated with the “hero” SMS naming pattern |
nova.smshero[.]ai | Associated with the “hero” SMS naming pattern |
apex.herosms[.]ai | Associated with the “hero” SMS naming pattern |
spark.herosms[.]io | Associated with the “hero” SMS naming pattern |
zest.hero-sms[.]ai | Associated with the “hero” SMS naming pattern |
prime.herosms[.]vip | Associated with the “hero” SMS naming pattern |
vivid.smshero[.]vip | Associated with the “hero” SMS naming pattern |
mint.smshero[.]com | Associated with the “hero” SMS naming pattern |
pulse.herosms[.]cc | Associated with the “hero” SMS naming pattern |
glide.smshero[.]cc | Associated with the “hero” SMS naming pattern |
svc.ha-teams.office[.]com | Likely masquerading as legitimate Microsoft Office traffic |
iplogger[.]org | Common IP tracking service often used for reconnaissance |
| File Name | File Path | SHA-256 Hash |
|---|---|---|
| Uphero.exe | C:WindowsSysWOW64heroUphero.exe | e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 |
| hero.exe | C:WindowsSysWOW64herohero.exe | b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 |
| hero.dll | C:WindowsSysWOW64herohero.dll | 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
