Uphero/hero trojanized 7-Zip installer proxyware activity
Malware Activity
Summary
Hide ▲
Show ▼
A trojanized 7-Zip installer is now dropping Uphero/hero payloads that turn Windows hosts into residential proxy nodes, letting attackers route traffic through victim IP addresses. The delivery uses a fake 7-Zip website and appears to be part of a broader operation that also impersonates HolaVPN, TikTok, WhatsApp, and Wire VPN. The malware pulls configuration from rotating smshero C2 domains and uses DNS-over-HTTPS and Cloudflare to make detection harder.
Related Happenings
Google integrates Rust DNS parser into Pixel modem firmware
Security Tool/Service
First: 14.04.2026 13:21
Last: 14.04.2026 13:21
Sources 1
About this happening:
Google is **integrating a Rust-based DNS parser** into **Pixel modem firmware**, reducing memory-safety risk in a **remote cellular attack surface**. The change matters because th...
Google integrates Rust DNS parser into Pixel modem firmware
Security Tool/ServiceAbout this happening: Google is **integrating a Rust-based DNS parser** into **Pixel modem firmware**, reducing memory-safety risk in a **remote cellular attack surface**. The change matters because th...
ModeloRAT DNS-delivered malware staging
Malware Activity
First: 16.02.2026 02:29
Last: 16.02.2026 02:29
Sources 1
About this happening:
**ModeloRAT** is now being delivered through a **DNS-based staging chain**, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the obse...
ModeloRAT DNS-delivered malware staging
Malware ActivityAbout this happening: **ModeloRAT** is now being delivered through a **DNS-based staging chain**, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the obse...
Roskomnadzor blocks WhatsApp in Russia
Public Sector Action
First: 13.02.2026 00:57
Last: 13.02.2026 00:57
Sources 1
About this happening:
**Roskomnadzor** is trying to **block WhatsApp** in **Russia**, escalating restrictions on communication platforms and limiting access for users who rely on the service. The move...
Roskomnadzor blocks WhatsApp in Russia
Public Sector ActionAbout this happening: **Roskomnadzor** is trying to **block WhatsApp** in **Russia**, escalating restrictions on communication platforms and limiting access for users who rely on the service. The move...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
ISPsystem VMmanager Windows VM abuse for payload delivery and C2
Malware Activity
First: 05.02.2026 22:57
Last: 05.02.2026 22:57
Sources 1
About this happening:
The abuse of **ISPsystem VMmanager** is letting ransomware operators run **Windows VMs** that deliver payloads and support **C2** infrastructure, reducing visibility and slowing t...
ISPsystem VMmanager Windows VM abuse for payload delivery and C2
Malware ActivityAbout this happening: The abuse of **ISPsystem VMmanager** is letting ransomware operators run **Windows VMs** that deliver payloads and support **C2** infrastructure, reducing visibility and slowing t...
Timeline
-
10.02.2026 21:12 2 articles · 3mo ago
Fake 7-Zip installer delivers Uphero/hero proxyware
Initial DisclosureA fake 7-Zip website at 7zip[.]com is distributing a trojanized installer that keeps the 7-Zip program but drops Uphero.exe, hero.exe, and hero.dll, creates a SYSTEM auto-start service, and modifies firewall rules so infected Windows hosts can operate as residential proxy nodes. Malwarebytes analysis links the payload to rotating hero/smshero C2 domains, Cloudflare-backed TLS traffic, DNS-over-HTTPS via Google’s resolver, host profiling, and anti-analysis checks, and notes that the same operation also uses trojanized installers for HolaVPN, TikTok, WhatsApp, and Wire VPN.
Show sources
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12
- Malicious 7-Zip site distributes installer laced with proxy tool — www.bleepingcomputer.com — 10.02.2026 21:12