SECURITY researchers have traced a campaign that weaponised the domain 7zip[.]com, which was registered as early as 1999, to push poisoned software and turn infected PCs into residential proxy nodes. The phishing site mimics the official interface to lure users into downloading compromised binaries, including UpHero[.]exe, hero[.]exe and hero[.]dll, which are stored in the C:\Windows\SysWOW64\hero\ directory.
The malware establishes an automated Windows service with SYSTEM privileges to persist across reboots, uses netsh to alter firewall rules, and employs WMI and native Windows APIs to conduct system reconnaissance before exfiltrating data to the iplogger[.]org command server. Once activated, the infected host operates as a proxy, allowing third parties to route illicit traffic through the victim’s IP address, a tactic that can hinder detection by standard security tools.
The campaign’s reach extends beyond 7-Zip to impersonations of platforms such as TikTok and WhatsApp, and the global security community has already added the domain to ad-blocking rule sets used by tools like uBlock Origin. According to security researchers, major antivirus definitions have since been updated to intercept these domains and files.