{"id":212309,"date":"2026-02-10T14:12:00","date_gmt":"2026-02-10T19:12:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/10\/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool\/"},"modified":"2026-02-11T11:05:11","modified_gmt":"2026-02-11T16:05:11","slug":"malicious-7-zip-site-distributes-installer-laced-with-proxy-tool","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/10\/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool\/","title":{"rendered":"Malicious 7-Zip site distributes installer laced with proxy tool"},"content":{"rendered":"

Malicious 7-Zip site distributes installer laced with proxy tool<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool\/<\/a><\/p>\n

Publish Date: 2026-02-10 14:12:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

A fake 7-Zip website is distributing a trojanized installer of the popular archiving tool that turns the user\u2019s computer into a residential proxy node.<\/p>\n

Residential proxy networks use home user devices to route traffic with the goal of evading blocks and performing various malicious activities such as credential stuffing, phishing, and malware distribution.<\/p>\n

The new campaign became better known after a user reported\u00a0that they\u00a0downloaded a malicious installer from a website impersonating the 7-Zip project while following instructions in a YouTube tutorial on building a PC system.\u00a0BleepingComputer can confirm that the malicious website,\u00a07zip[.]com, is still live.<\/p>\n

\"Wiz\"<\/p>\n

The threat actor registered the domain 7zip[.]com (still live at the time of writing) that can easily trick users into thinking they landed on the site of the legitimate tool.<\/p>\n

Furthermore, the attacker copied the text and mimicked the structure of the original 7-Zip website located at\u00a07-zip.org.<\/p>\n

\"MaliciousMalicious website dropping the trojanized 7-Zip<\/strong>
Source: BleepingComputer<\/p>\n

The installer file was analyzed by researchers at cybersecurity company Malwarebytes, who found that it is digitally signed with a now-revoked certificate originally issued to Jozeal Network Technology Co., Limited.<\/p>\n

The malicious copy also contains the 7-Zip program, thus providing the regular functions of the tool. However, the installer\u00a0drops three malicious files:<\/p>\n

    \n
  1. Uphero.exe<\/strong> \u2013 service manager and update loader<\/li>\n
  2. hero.exe<\/strong> \u2013 main proxy payload<\/li>\n
  3. hero.dll<\/strong> \u2013 support library<\/li>\n<\/ol>\n

    These files are placed in the \u2018C:WindowsSysWOW64hero\u2019 directory, and an auto-start Windows service running as SYSTEM is created for the two malicious executables.<\/p>\n

    Additionally, firewall rules are modified using \u2018netsh\u2019 to allow the binaries to establish inbound and outbound connections.<\/p>\n

    Eventually, the host system is profiled with Microsoft’s\u00a0Windows Management Instrumentation\u00a0(WMI) and Windows APIs to determine…<\/p>\n

    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Malicious 7-Zip site distributes installer laced with proxy tool https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool\/ Publish Date: 2026-02-10 14:12:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":212310,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/02\/04\/7-zip-red-bright.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25,34],"class_list":["post-212309","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212309"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212309"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212309\/revisions"}],"predecessor-version":[{"id":212311,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212309\/revisions\/212311"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212310"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}