TL;DR
- Malicious Campaign: The fake domain 7zip.com has been distributing trojanized 7-Zip installers that convert victims’ computers into residential proxy nodes.
- Distribution Vector: YouTube tutorials inadvertently directed users to the malicious site instead of the legitimate 7-zip.org domain.
- Technical Sophistication: The malware uses Authenticode signing, DNS-over-HTTPS, VM detection, and encrypted communications to evade security tools.
- Detection Solution: Malwarebytes can fully eradicate known variants and reverse the persistence mechanisms established by the malware.
PC users who downloaded 7-Zip from 7zip.com (now taken down) instead of the legitimate 7-zip.org may have unknowingly installed malware that turns their computers into proxy infrastructure for fraud or abuse.
A Reddit user building a new PC discovered the infection two weeks after following a YouTube tutorial that directed them to the wrong domain. “I’m so sick to my stomach,” the user wrote after Microsoft Defender flagged a generic trojan detection on their system.
The malware operates by delivering a functional copy of 7-Zip while silently deploying proxyware components that enroll infected machines as residential proxy nodes, allowing third parties to route traffic through victims’ IP addresses.
How Security Researchers Uncovered the Campaign
The scope of this threat only became clear through coordinated research efforts. Security researcher Luke Acha provided analysis showing that the Uphero/hero malware functions as residential proxyware and connected this campaign to a broader operation he dubbed upStage Proxy.
Researcher s1dhy expanded on the analysis by reversing and decoding the custom XOR-based communication protocol and validating the proxy behavior through packet captures.
#proxyware installed via fake 7zip installer linked to wirevpn / isharkvpn
iSharkVPN does not permanently connect, but same proxy capabilities enable when connected to “free” VPN https://t.co/lZRd3jcVJS
summarized details can be found here https://t.co/MrRSHNATdP@500mk500 https://t.co/svrkCb5Tc8 pic.twitter.com/XEhSxZ116w
— S1dhy (@s1dhy) January 27, 2026
The collaborative investigation reveals the campaign’s sophistication required diverse technical expertise to fully document, positioning the security research community to identify cross-campaign infrastructure patterns that single-researcher investigations might miss.
How the Malware Works
The malicious installer is Authenticode-signed using a now-revoked certificate issued to Jozeal Network Technology Co., Limited. This digital signature initially allowed the malware to bypass Windows SmartScreen warnings, lending false legitimacy to the trojanized installer. The installer deploys three components silently: Uphero.exe (service manager and update loader), hero.exe (primary proxy payload, Go-compiled), and hero.dll (supporting library).
All malicious components are written to C:\Windows\SysWOW64\hero\, a privileged directory unlikely to be manually inspected by users. Both Uphero.exe and hero.exe are registered as auto-start Windows services running under System privileges, ensuring execution on every boot.
The malware invokes netsh to remove existing firewall rules and create new inbound and outbound allow rules for its binaries, effectively granting itself unrestricted network access while blocking potential interference from security tools.
The persistence architecture creates multiple defensive layers that complicate removal. By combining auto-start services under System privileges with firewall manipulation and privileged directory placement, the malware establishes redundant mechanisms ensuring operation even if individual components are detected.
Proxy Infrastructure and Traffic Routing
Once embedded on the system, the malware shifts from persistence to monetization. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim’s IP address. This monetization model turns compromised home computers into infrastructure that appears legitimate to web services, as residential IP addresses are less likely to be blocked compared to datacenter IPs.
The combination of residential IP addresses, rotating control domains, and non-standard ports creates a proxy network that operators can sell at premium rates. Residential proxies command higher prices for bypassing anti-fraud systems and rate limits.
The hero.exe component retrieves configuration data from rotating smshero-themed command-and-control domains, then establishes outbound proxy connections on non-standard ports 1000 and 1002. Non-standard ports help the malware evade basic network monitoring that focuses on common proxy ports like 8080 or 3128.
The malware communicates with iplogger.org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata. Traffic analysis reveals a lightweight XOR-encoded protocol (key 0x70) used to obscure control messages, shielding traffic from casual inspection.
Advanced Evasion Techniques
Beyond the persistence mechanisms, the malware incorporates multiple layers of operational security. An independent update channel was observed at update.7zip.com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating the malware payload can be updated independently. This infrastructure allows operators to modify malware behavior, add features, or respond to detection without requiring victims to download new installers.
The malware uses DNS-over-HTTPS via Google’s resolver, reducing visibility for traditional DNS monitoring. It incorporates virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels. When executed in these analysis environments, the malware likely alters its behavior or terminates.
Cryptographic support is included in the malware, suggesting encrypted configuration handling and traffic protection. The presence of AES, RC4, Camellia, Chaskey, XOR encoding, and Base64 indicates a sophisticated approach to protecting command-and-control communications. The layered evasion techniques collectively create an environment where traditional detection methods fail at multiple points, allowing the campaign to maintain operational longevity even as individual evasion techniques become documented.
Broader Campaign and Related Variants
The 7-Zip campaign represents just one dimension of a larger operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures. These variants suggest the operators are running a broad, coordinated campaign targeting multiple popular software brands across different categories, exploiting user trust in familiar application names.
Like in other cases, YouTube tutorials have been serving as an inadvertent malware distribution vector, with creators incorrectly referencing 7zip.com instead of the legitimate domain. Content creators producing PC building guides, software installation tutorials, and “essential programs” lists often reference 7-Zip as a recommended utility, making these videos high-value targets for exploitation through domain confusion.
The campaign exploits user trust in domain similarity. While 7zip.com appears legitimate to users unfamiliar with the project’s official domain, the actual 7-Zip project operates exclusively from 7-zip.org. This typosquatting technique relies on users not verifying the correct domain before downloading software, particularly when following tutorial instructions that may inadvertently reference the malicious domain.
The existence of multiple brand-impersonating variants demonstrates the operators are systematically exploiting the gap between popular software brands and user domain verification behavior, building a diversified infection portfolio that maintains steady compromise rates even when individual domains are discovered and blocked.
Understanding the Residential Proxy Threat
The technical mechanisms underlying this malware serve a specific economic purpose. Residential proxy networks allow operators to route malicious traffic through home IP addresses that appear legitimate to web services. This infrastructure enables activities like credential stuffing attacks that bypass rate limits, web scraping operations that evade bot detection, and anonymized fraud operations where the true origin of attacks is masked behind victims’ connections.
Victims bear the reputational and legal risks associated with traffic originating from their connections. If an infected machine is used to conduct fraud, access restricted services, or launch attacks, the victim’s IP address appears in logs and could potentially face consequences ranging from account bans to legal inquiries.
Internet service providers may also throttle or suspend service for customers whose connections show suspicious activity patterns, even when the victim is unaware their machine has been compromised.
The economic model behind residential proxy networks involves selling access to compromised machines to third parties who pay for the ability to route traffic through legitimate-looking IP addresses. These services are marketed on underground forums and sometimes operate in legal gray areas as “residential proxy services” without disclosing that the infrastructure consists of compromised consumer devices rather than consenting participants.
Detection and Removal
For users concerned about potential infection, concrete remediation steps are available. Malwarebytes says its software is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. Users concerned about infection should run a full system scan with updated security software that can detect the Uphero/hero malware family.
System administrators monitoring network traffic should watch for suspicious outbound connections to smshero-themed domains and traffic on non-standard ports 1000 and 1002. The presence of unexpected Windows services with names like Uphero or hero, particularly those running under System privileges and installed in the SysWOW64\hero\ directory, warrants immediate security investigation.
Users who followed YouTube tutorials for PC building or software installation within recent months should verify whether the content referenced 7zip.com and check their systems accordingly.
The two-week gap between installation and detection in the case indicates the malware successfully evaded real-time security checks through its Authenticode signature and privileged installation location, allowing infected machines to serve as proxy nodes for extended periods before users become aware of compromise.
