ACCORDING to Malwarebytes, fake downloads of the 7‑Zip archiver have been hosting a trojanised installer on a lookalike domain that silently turns victims’ machines into residential proxy nodes. The malware is delivered via a trojanised 7‑Zip File Manager, with an Authenticode‑signed certificate now revoked and issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy.
During installation, three components are dropped to C:\Windows\SysWOW64\hero\—Uphero[.]exe, hero[.]exe and hero[.]dll—with the latter two enabling a proxy payload and persistence through Windows services, which start on boot. The build also drops an independent update channel and uses netsh to manipulate firewall rules, while collecting system details through WMI and other Windows APIs to support the proxy infrastructure.
Domains such as iplogger[.]org and rotating smshero domains are used for C2, with traffic routed via Cloudflare fronting and encrypted, XOR‑encoded communications. The campaign illustrates how trusted software distribution can be abused to monetise compromised devices, as confirmed by the report and observations of 7zip[.]com masquerading as the legitimate 7-zip site.