Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
It sounds almost unreal, yet it’s happening: a download most people consider safe can quietly turn into a well-designed trap, exposing a system and transforming it into a proxy node. What makes it worse is that there’s no flashy exploit involved, no dramatic alert popping up. Just a small mistake in a URL, one of those that can happen to anyone.
And yes, everything you’re about to read comes strictly from the original source – no assumptions, no external details slipped in. This is the story of how fake 7-Zip installers have been circulating for quite some time, and how attackers are profiting from them in ways most users would never expect.
When people download 7-Zip, they usually assume they’re visiting the official site. The problem is that a nearly identical clone exists. The real website is 7-zip.org, while the malicious one uses a very similar domain. That tiny difference is easy to miss, especially when users land there through online guides or tutorial videos.
Some victims noticed strange behavior right away, like installer errors related to 32-bit and 64-bit mismatches. Others simply shrugged and moved on. Days later, Windows Defender finally raised the alarm, flagging a trojan identified as Malgent. That delayed realization – that moment of “wait, something’s off” – is exactly what the attackers rely on.
The malicious installer feels legitimate because it actually installs 7-Zip. At the same time, though, it drops three hidden executables into a system directory that most people never check: Uphero.exe, hero.exe, and hero.dll. These components are configured to run automatically every time the machine boots.
They also modify firewall rules to allow their own traffic and begin collecting system details, including hardware and network configuration. From that point on, the compromised machine effectively becomes a proxy node, relaying traffic on behalf of external users without the owner’s knowledge.
Instead of deploying noisy ransomware, this malware turns the infected computer into a shared resource. The attacker can route traffic through the victim’s IP address, which may be used for anonymization, scraping, or other questionable activities. It all happens quietly in the background.
The campaign shows a clear focus on evasion. The malware detects virtual machines and debuggers, uses DNS-over-HTTPS, and obfuscates communications with XOR encoding. The goal is simple: stay invisible for as long as possible.
This operation goes beyond fake 7-Zip installers. Variants using names like upHola.exe and upWhatsapp follow the same pattern, impersonating popular software to deliver the same proxy infrastructure. It’s clearly not a one-off incident but a coordinated, scalable campaign.
If a system ran an installer from the fake domain, it should be considered compromised. The components install themselves as Windows services with elevated privileges and make firewall changes that do not revert automatically. Updated security software can remove them, but on heavily used systems, some users still opt for a full OS reinstall.
The most effective protection remains basic hygiene: always verify the domain before downloading software, don’t blindly trust top search results, and be cautious with links shared in videos or forums. Bookmark official sites, review firewall changes, and pay attention to services you didn’t explicitly approve.
In the end, this campaign proves a simple truth: attackers don’t need zero-day exploits to compromise thousands of machines. Exploiting trust – and a single mistyped URL – is often more than enough.
Toward the end of this investigation, one thing becomes clear: the role of threat researchers is critical. Independent analysts uncovered that this was not just a backdoor, but a monetized proxy operation. Without that work, many infections would still be flying under the radar.
For a deeper technical breakdown, the research conducted by Malwarebytes details the entire campaign and its mechanics in full
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
