Trojanized 7-Zip installer distributes proxy malware

First reported

10.02.2026 21:12

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A fake 7-Zip website distributes a malicious installer that turns infected computers into residential proxy nodes. The campaign uses a trojanized version of the 7-Zip tool, which includes legitimate functionality but also installs proxy malware. The malware communicates with command-and-control (C2) servers using obfuscated messages and avoids detection by checking for virtualization and debuggers. The threat actor registered the domain 7zip[.]com, mimicking the legitimate 7-Zip website. The malware modifies firewall rules to allow inbound and outbound connections and collects system information, which is sent to a remote server. The campaign also involves trojanized installers for other popular applications like HolaVPN, TikTok, WhatsApp, and Wire VPN.

Timeline

10.02.2026 21:12 1 articles · 4h ago

Malicious 7-Zip installer distributes proxy malware
A fake 7-Zip website distributes a trojanized installer that turns infected computers into residential proxy nodes. The malware modifies firewall rules, profiles the host system, and communicates with C2 servers using obfuscated messages. The campaign also involves trojanized installers for other popular applications.
Show sources

Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
Open in new tab

Information Snippets

The malicious installer is digitally signed with a revoked certificate originally issued to Jozeal Network Technology Co., Limited.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The malware drops three files: Uphero.exe (service manager and update loader), hero.exe (main proxy payload), and hero.dll (support library).
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The malware creates an auto-start Windows service running as SYSTEM and modifies firewall rules using 'netsh'.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The malware profiles the host system using WMI and Windows APIs, sending collected data to 'iplogger[.]org'.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The malware uses rotating C2 domains with 'smshero' themes and communicates over TLS-encrypted HTTPS.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The campaign also involves trojanized installers for HolaVPN, TikTok, WhatsApp, and Wire VPN.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
The malware checks for virtualization platforms and debuggers to avoid detection.
First reported: 10.02.2026 21:12

1 source, 1 article
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12

Summary

Timeline

Malicious 7-Zip installer distributes proxy malware

Information Snippets