Fake 7-Zip downloads are turning home PCs into proxy nodes
Fake 7-Zip downloads are being used to compromise home PCs by turning them into proxy nodes. These malicious downloads masquerade as legitimate software, employing techniques such as code signing, masquerading, and disabling or modifying system firewalls to evade detection and maintain persistence. The threat involves system and network discovery, registry manipulation for startup persistence, and evasion of sandbox or virtualization environments. There is no known exploit in the wild and no patch is available. The overall severity is assessed as medium based on the described impact.
AI Analysis
Technical Summary
This threat involves the distribution of fake 7-Zip installers that, once executed on home PCs, covertly convert the infected machines into proxy nodes. The attackers use multiple advanced techniques including domain generation algorithms, masquerading as legitimate software, code signing to appear trustworthy, and disabling or modifying system firewalls to avoid detection. The malware performs system information and network configuration discovery, manipulates registry run keys for persistence, and employs obfuscation and sandbox evasion methods. Despite these capabilities, no official patch or fix is available, and no known exploits have been reported in the wild. The threat targets Windows environments and leverages various MITRE ATT&CK techniques to maintain stealth and control.
Potential Impact
Infected home PCs are turned into proxy nodes, potentially allowing attackers to route malicious traffic through these compromised systems. This can lead to abuse of the victim's network resources and may facilitate further malicious activities such as anonymizing attacker traffic or launching additional attacks. The threat compromises system integrity and security by disabling or modifying firewalls and establishing persistence mechanisms. However, there is no evidence of widespread exploitation or direct data theft reported at this time.
Mitigation Recommendations
No official patch or fix is currently available for this threat. Users should avoid downloading 7-Zip or similar software from untrusted or unofficial sources to prevent infection. Employing endpoint protection solutions that can detect masquerading, code signing anomalies, and firewall modifications may help mitigate risk. Since no vendor advisory or official remediation exists, monitoring for suspicious proxy activity and unauthorized changes to system firewall settings is recommended. Patch status is not yet confirmed — check vendor advisories for any updates.
Indicators of Compromise
- link: https://otx.alienvault.com/pulse/698d9d85f511c437a687cbad
- link: https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
- text: A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims' machines into residential proxy nodes. The fake site, 7zip[.]com, distributes a functional copy of 7-Zip alongside concealed malware. The malware deploys three components: Uphero.exe (service manager), hero.exe (proxy payload), and hero.dll (supporting library). It establishes persistence through Windows services, manipulates firewall rules, and profiles the host system. The primary function is to enroll infected hosts as residential proxy nodes, allowing third parties to route traffic through victims' IP addresses. This campaign appears to be part of a broader operation with similar tactics used for other fake installers. The malware incorporates multiple evasion techniques and uses encrypted communications.
- text: Fake 7-Zip downloads are turning home PCs into proxy nodes
- text: Blog
- hash: c4edf28177e72d1bfc482cf4d05a156b
- hash: aeda326c3653f17120bb0d75738c0bd82e7f7f31
- hash: e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027
- datetime: 2026-01-01T10:22:12+00:00
- imphash: 3c9f80f2e71286e71d7f91cdd26c6049
- size-in-bytes: 2382808
- file: Uphero.exe
- text: %WINDIR%\SysWOW64\hero\
- imphash: 3c9f80f2e71286e71d7f91cdd26c6049
- pehash: 8b4f571c395d8fd561ef9ef4647ad09842caa6fb
- hash: ddf75cc7e322d75de77b17c8ec887975
- hash: 664e87fe1d01dfe6f03f6027c09fcfa117ffb27e
- hash: 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9
- datetime: 2026-01-01T06:55:15+00:00
- imphash: ef2950805cfd017c3b005284a639e584
- size-in-bytes: 5682336
- file: hero.dll
- text: %WINDIR%\SysWOW64\hero\
- imphash: ef2950805cfd017c3b005284a639e584
- pehash: 1d08a3b26f90e0624d5b07a15ae79c0c0d9775fe
- hash: e2022cedcea9b5ea81764996732a9880
- hash: 01ef636f9627a77ae11af9af88dd52106b163422
- hash: b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894
- datetime: 2026-01-01T07:04:25+00:00
- imphash: eb896ed888a5d9e17921ad8ac5f846bd
- size-in-bytes: 350168
- file: hero.exe
- text: %WINDIR%\SysWOW64\hero\
- imphash: eb896ed888a5d9e17921ad8ac5f846bd
- pehash: 723a905b947abc9781f36665287bd69cc606cde2
- domain: zest.hero-sms.ai
- domain: soc.hero-sms.co
- domain: apex.herosms.ai
- domain: flux.smshero.co
- domain: neo.herosms.co
- domain: glide.smshero.cc
- domain: prime.herosms.vip
- domain: mint.smshero.com
- domain: spark.herosms.io
- domain: nova.smshero.ai
- domain: vivid.smshero.vip
- domain: pulse.herosms.cc
- domain: 7zip.com
- url: update.7zip.com/version/win-service/1.0.0.2/Uphero.exe.zip
- domain: iplogger.org
- domain: svc.ha-teams.office.com
- ip: 172.67.160.241
- ip: 104.21.57.71
- text: Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
- link: https://www.virustotal.com/gui/file/e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027
- text: 43/72
- link: https://www.virustotal.com/gui/domain/soc.hero-sms.co
- text: 20/93
- domain: soc.hero-sms.co
- link: https://www.virustotal.com/gui/domain/svc.ha-teams.office.com
- text: 0/93
- domain: svc.ha-teams.office.com
- link: https://www.virustotal.com/gui/ip_address/104.21.57.71
- text: 0/93
- link: https://www.virustotal.com/gui/ip_address/162.159.36.2
- text: 0/93
- ip: 162.159.36.2
- link: https://www.virustotal.com/gui/ip_address/172.67.160.241
- text: 0/93
- link: https://www.virustotal.com/gui/ip_address/8.8.8.8
- text: 0/93
- ip: 8.8.8.8
- hash: c4edf28177e72d1bfc482cf4d05a156b
- hash: aeda326c3653f17120bb0d75738c0bd82e7f7f31
- hash: e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027
- tlsh: t1deb5be12bb42c172f592027452fa6b7f883e9934673485c397d01e7989312e36b3e79e
- vhash: 026056655d551561e3z72z8f7z9055z2031z31z5001f4z16c
- ssdeep: 49152:hCV3m+X04yQjatPNBlG1coHqi47Nr9TPcPQJ1ErF/Yys:y3m14yNtPNBlG1coHq77NrN13
Fake 7-Zip downloads are turning home PCs into proxy nodes
Description
Fake 7-Zip downloads are being used to compromise home PCs by turning them into proxy nodes. These malicious downloads masquerade as legitimate software, employing techniques such as code signing, masquerading, and disabling or modifying system firewalls to evade detection and maintain persistence. The threat involves system and network discovery, registry manipulation for startup persistence, and evasion of sandbox or virtualization environments. There is no known exploit in the wild and no patch is available. The overall severity is assessed as medium based on the described impact.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the distribution of fake 7-Zip installers that, once executed on home PCs, covertly convert the infected machines into proxy nodes. The attackers use multiple advanced techniques including domain generation algorithms, masquerading as legitimate software, code signing to appear trustworthy, and disabling or modifying system firewalls to avoid detection. The malware performs system information and network configuration discovery, manipulates registry run keys for persistence, and employs obfuscation and sandbox evasion methods. Despite these capabilities, no official patch or fix is available, and no known exploits have been reported in the wild. The threat targets Windows environments and leverages various MITRE ATT&CK techniques to maintain stealth and control.
Potential Impact
Infected home PCs are turned into proxy nodes, potentially allowing attackers to route malicious traffic through these compromised systems. This can lead to abuse of the victim's network resources and may facilitate further malicious activities such as anonymizing attacker traffic or launching additional attacks. The threat compromises system integrity and security by disabling or modifying firewalls and establishing persistence mechanisms. However, there is no evidence of widespread exploitation or direct data theft reported at this time.
Mitigation Recommendations
No official patch or fix is currently available for this threat. Users should avoid downloading 7-Zip or similar software from untrusted or unofficial sources to prevent infection. Employing endpoint protection solutions that can detect masquerading, code signing anomalies, and firewall modifications may help mitigate risk. Since no vendor advisory or official remediation exists, monitoring for suspicious proxy activity and unauthorized changes to system firewall settings is recommended. Patch status is not yet confirmed — check vendor advisories for any updates.
Technical Details
- Uuid
- a1ddf106-025e-438c-947d-202ded0ee395
- Original Timestamp
- 1772440113
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://otx.alienvault.com/pulse/698d9d85f511c437a687cbad | — | |
linkhttps://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes | — | |
linkhttps://www.virustotal.com/gui/file/e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 | — | |
linkhttps://www.virustotal.com/gui/domain/soc.hero-sms.co | — | |
linkhttps://www.virustotal.com/gui/domain/svc.ha-teams.office.com | — | |
linkhttps://www.virustotal.com/gui/ip_address/104.21.57.71 | — | |
linkhttps://www.virustotal.com/gui/ip_address/162.159.36.2 | — | |
linkhttps://www.virustotal.com/gui/ip_address/172.67.160.241 | — | |
linkhttps://www.virustotal.com/gui/ip_address/8.8.8.8 | — |
Text
| Value | Description | Copy |
|---|---|---|
textA convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims' machines into residential proxy nodes. The fake site, 7zip[.]com, distributes a functional copy of 7-Zip alongside concealed malware. The malware deploys three components: Uphero.exe (service manager), hero.exe (proxy payload), and hero.dll (supporting library). It establishes persistence through Windows services, manipulates firewall rules, and profiles the host system. The primary function is to enroll infected hosts as residential proxy nodes, allowing third parties to route traffic through victims' IP addresses. This campaign appears to be part of a broader operation with similar tactics used for other fake installers. The malware incorporates multiple evasion techniques and uses encrypted communications. | — | |
textFake 7-Zip downloads are turning home PCs into proxy nodes | — | |
textBlog | — | |
text%WINDIR%\SysWOW64\hero\ | — | |
text%WINDIR%\SysWOW64\hero\ | — | |
text%WINDIR%\SysWOW64\hero\ | — | |
textGlobal\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7 | — | |
text43/72 | — | |
text20/93 | — | |
text0/93 | — | |
text0/93 | — | |
text0/93 | — | |
text0/93 | — | |
text0/93 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashc4edf28177e72d1bfc482cf4d05a156b | — | |
hashaeda326c3653f17120bb0d75738c0bd82e7f7f31 | — | |
hashe7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 | — | |
hashddf75cc7e322d75de77b17c8ec887975 | — | |
hash664e87fe1d01dfe6f03f6027c09fcfa117ffb27e | — | |
hash3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 | — | |
hashe2022cedcea9b5ea81764996732a9880 | — | |
hash01ef636f9627a77ae11af9af88dd52106b163422 | — | |
hashb7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 | — | |
hashc4edf28177e72d1bfc482cf4d05a156b | — | |
hashaeda326c3653f17120bb0d75738c0bd82e7f7f31 | — | |
hashe7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2026-01-01T10:22:12+00:00 | — | |
datetime2026-01-01T06:55:15+00:00 | — | |
datetime2026-01-01T07:04:25+00:00 | — |
Imphash
| Value | Description | Copy |
|---|---|---|
imphash3c9f80f2e71286e71d7f91cdd26c6049 | — | |
imphash3c9f80f2e71286e71d7f91cdd26c6049 | — | |
imphashef2950805cfd017c3b005284a639e584 | — | |
imphashef2950805cfd017c3b005284a639e584 | — | |
imphasheb896ed888a5d9e17921ad8ac5f846bd | — | |
imphasheb896ed888a5d9e17921ad8ac5f846bd | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes2382808 | — | |
size-in-bytes5682336 | — | |
size-in-bytes350168 | — |
File
| Value | Description | Copy |
|---|---|---|
fileUphero.exe | — | |
filehero.dll | — | |
filehero.exe | — |
Pehash
| Value | Description | Copy |
|---|---|---|
pehash8b4f571c395d8fd561ef9ef4647ad09842caa6fb | — | |
pehash1d08a3b26f90e0624d5b07a15ae79c0c0d9775fe | — | |
pehash723a905b947abc9781f36665287bd69cc606cde2 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainzest.hero-sms.ai | — | |
domainsoc.hero-sms.co | — | |
domainapex.herosms.ai | — | |
domainflux.smshero.co | — | |
domainneo.herosms.co | — | |
domainglide.smshero.cc | — | |
domainprime.herosms.vip | — | |
domainmint.smshero.com | — | |
domainspark.herosms.io | — | |
domainnova.smshero.ai | — | |
domainvivid.smshero.vip | — | |
domainpulse.herosms.cc | — | |
domain7zip.com | — | |
domainiplogger.org | — | |
domainsvc.ha-teams.office.com | — | |
domainsoc.hero-sms.co | — | |
domainsvc.ha-teams.office.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlupdate.7zip.com/version/win-service/1.0.0.2/Uphero.exe.zip | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip172.67.160.241 | — | |
ip104.21.57.71 | — | |
ip162.159.36.2 | — | |
ip8.8.8.8 | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht1deb5be12bb42c172f592027452fa6b7f883e9934673485c397d01e7989312e36b3e79e | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhash026056655d551561e3z72z8f7z9055z2031z31z5001f4z16c | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep49152:hCV3m+X04yQjatPNBlG1coHqi47Nr9TPcPQJ1ErF/Yys:y3m14yNtPNBlG1coHq77NrN13 | — |
Threat ID: 69ffeb34cbff5d8610f38620
Added to database: 5/10/2026, 2:19:32 AM
Last enriched: 5/10/2026, 2:28:20 AM
Last updated: 5/10/2026, 8:33:20 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.