This threat involves a malicious campaign leveraging a lookalike domain (7zip[.]com) impersonating the legitimate 7-Zip archiver site to distribute a trojanized installer. The installer delivers a functional 7-Zip application bundled with concealed malware comprising three main components: Uphero.exe, which acts as a service manager to maintain persistence; hero.exe, the proxy payload that enables the infected machine to function as a residential proxy node; and hero.dll, a supporting dynamic link library. Upon execution, the malware establishes persistence by creating Windows services and modifies firewall rules to allow proxy traffic. It also profiles the host system to gather environment details, likely to optimize proxy operations or evade sandbox detection. The infected machines become part of a proxy network that third parties can use to route traffic, potentially for anonymizing malicious activities such as spam, fraud, or evading geo-restrictions. The malware uses encrypted communications to conceal command and control traffic and employs multiple evasion techniques, including masquerading as legitimate software components and manipulating system configurations. This campaign is part of a broader operation that uses similar tactics with other fake software installers, indicating a scalable and persistent threat actor. Indicators of compromise include specific file hashes and a set of suspicious domains related to the malware's command and control infrastructure. Although no active exploits have been reported, the threat poses significant risks due to its stealth and potential for abuse. The campaign targets Windows systems, primarily home PCs, but could affect organizational endpoints if users download software from untrusted sources.

For European organizations, the primary impact is indirect but significant. Infected home PCs or organizational endpoints can be co-opted into proxy networks, which can be used by threat actors to anonymize their activities, complicating attribution and incident response. This can lead to reputational damage if an organization's IP addresses are involved in malicious traffic. The malware's persistence and firewall manipulation may degrade system performance and increase network traffic, potentially impacting availability. Additionally, the presence of such malware indicates a lapse in endpoint security hygiene, increasing the risk of further compromise. Residential proxy abuse can also facilitate fraud, spam, or other cybercrimes that may target European businesses or citizens. The stealthy nature of the malware and encrypted communications make detection challenging, increasing dwell time and potential damage. Organizations relying on remote or hybrid work models are particularly vulnerable if employees download software from unofficial sources. The threat also raises privacy concerns due to unauthorized use of IP addresses and potential data leakage through profiling activities.

European organizations should implement multi-layered defenses focusing on endpoint security and user education. Specifically, enforce strict software installation policies restricting downloads to verified sources and digitally signed installers. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting suspicious service creation, firewall rule changes, and unusual proxy-related network traffic. Monitor network traffic for anomalous outbound connections to known malicious domains listed in the indicators. Use DNS filtering to block access to lookalike domains such as 7zip[.]com and the associated command and control domains. Conduct regular user awareness training emphasizing risks of downloading software from unofficial sites and recognizing phishing or social engineering attempts. Implement application whitelisting to prevent unauthorized executables from running. Regularly audit firewall and service configurations to detect unauthorized changes. For home users, provide guidance on verifying software authenticity and using official vendor sites. Network segmentation can limit the impact if an endpoint becomes infected. Finally, maintain updated threat intelligence feeds to detect emerging indicators related to this campaign.