The 7-Zip Trap: How a 25-Year-Old Domain Was Weaponized to Turn Your PC into a Proxy Bot
Do Son 
Security researchers have recently unveiled a sophisticated stratagem wherein adversaries gained control of the domain 7zip[.]com to proliferate deleterious software. It is paramount to note that the venerable, open-source compression utility 7-Zip maintains its official presence exclusively at https://7-zip.org/, eschewing any alternative domains.
While the domain 7zip[.]com was registered as early as 1999, it has been repurposed as a vessel for “poisoned” software distribution. The exact provenance of this controlβwhether via a direct acquisition or a clandestine hijackingβremains shrouded in ambiguity. The phishing site meticulously replicates the official interface to entice users into downloading compromised binaries. Deceived by the domainβs apparent legitimacy, many unsuspecting individuals executed the installer, which facilitates the deployment of the following malicious components:
- UpHero.exe: A service orchestrator and update loader.
- hero.exe: The primary agent payload.
- hero.dll: A foundational support library.
These artifacts are sequestered within the C:\Windows\SysWOW64\hero\ directory. The infection chain establishes an automated Windows service running with SYSTEM privileges, ensuring the malware attains persistence and initializes upon system boot. Furthermore, the malware utilizes the netsh utility to manipulate firewall configurations, permitting unhindered inbound and outbound connectivity. Once the environment is primed, it leverages WMI and native Windows APIs to conduct comprehensive system reconnaissanceβharvesting hardware specifications, memory capacity, and network characteristics to be exfiltrated to the iplogger[.]org command server.
This threat is particularly elusive; unlike traditional malware, these binaries function as residential proxy software. By transmuting the infected host into a proxy node, the attackers permit third parties to route illicit traffic through the victimβs sovereign IP address. Consequently, conventional security suites may struggle to detect such anomalous behavior. However, following the public exposure by security firms, major antivirus definitions have been updated to intercept these domains and files.
Investigation reveals that the scope of this campaign transcends 7-Zip, with similar impersonations targeting ubiquitous platforms like TikTok and WhatsApp. The adversaries aim to rapidly colonize a vast array of devices to cultivate an extensive IP proxy pool. The global security community has already integrated this malicious domain into prominent ad-blocking repositories, such as the rulesets utilized by uBlock Origin, to preemptively shield users from access.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
