A sophisticated brand impersonation campaign is weaponizing the popular 7-Zip file archiver to silently transform infected Windows computers into residential proxy nodes—monetizing victims’ IP addresses for fraud, scraping, and anonymity laundering operations.
The Lookalike Domain Trap
Security researchers at Malwarebytes have documented a long-running campaign where attackers operate 7zip[.]com—a convincing lookalike of the legitimate 7-zip.org project site. The malicious site distributes a trojanized installer that delivers a fully functional copy of 7-Zip alongside hidden proxyware components.
The campaign was brought to light when a PC builder, following a YouTube tutorial, downloaded 7-Zip from the wrong domain. Nearly two weeks later, Microsoft Defender flagged the system with Trojan:Win32/Malgent!MSR—demonstrating how attackers can maintain long-lived access by masquerading as trusted software.
Trojanized Installer with Code Signing
The installer comes Authenticode-signed using a now-revoked certificate issued to “Jozeal Network Technology Co., Limited,” lending superficial legitimacy. During installation, a modified 7zfm.exe is deployed alongside three hidden components:
- Uphero.exe — Service manager and update loader
- hero.exe — Primary proxy payload (Go-compiled)
- hero.dll — Supporting library
All components are written to C:\Windows\SysWOW64\hero\, a privileged directory unlikely to be manually inspected.
Infection Chain: System-Level Persistence
The malware executes a methodical infection chain:
- File deployment — Payload installed into SysWOW64, requiring elevated privileges
- Service persistence — Both Uphero.exe and hero.exe registered as auto-start Windows services running under SYSTEM privileges
- Firewall manipulation — Uses
netshto remove existing rules and create allow rules for its binaries - Host profiling — Enumerates hardware identifiers, memory, CPU, disk, and network configuration via WMI, reporting to iplogger[.]org
Residential Proxy Monetization
The malware’s primary function is converting infected machines into residential proxy nodes. The hero.exe component retrieves configuration from rotating “smshero”-themed C2 domains, establishing outbound proxy connections on ports 1000 and 1002. Traffic uses a lightweight XOR-encoded protocol (key 0x70) to obscure control messages.
Residential proxy access is sold to third parties for fraud, web scraping, ad abuse, and anonymity laundering—turning everyday home PCs into criminal infrastructure.
Broader Campaign: upStage Proxy Operation
The 7-Zip impersonation is part of a larger operation dubbed “upStage Proxy.” Related binaries have been identified under names including:
- upHola.exe
- upTiktok
- upWhatsapp
- upWire
All variants share identical TTPs: SysWOW64 deployment, Windows service persistence, firewall manipulation via netsh, and encrypted HTTPS C2 traffic through Cloudflare infrastructure with DNS-over-HTTPS via Google’s resolver.
Evasion Techniques
The malware incorporates multiple anti-analysis features:
- Virtual machine detection (VMware, VirtualBox, QEMU, Parallels)
- Anti-debugging checks and suspicious DLL loading detection
- Runtime API resolution and PEB inspection
- AES, RC4, Camellia, Chaskey, XOR encoding, and Base64 for encrypted configuration handling
Indicators of Compromise
File Hashes (SHA-256)
e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027(Uphero.exe)b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894(hero.exe)3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9(hero.dll)
Malicious Domains
- soc.hero-sms[.]co
- neo.herosms[.]co
- flux.smshero[.]co
- nova.smshero[.]ai
- apex.herosms[.]ai
- spark.herosms[.]io
- iplogger[.]org
Host Indicators
- Windows services with image paths pointing to
C:\Windows\SysWOW64\hero\ - Firewall rules named “Uphero” or “hero”
- Mutex:
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
Defensive Recommendations
Any system that has executed installers from 7zip.com should be considered compromised. Security teams should:
- Verify software sources and bookmark official project domains (7-zip.org)
- Treat unexpected code-signing identities with skepticism
- Monitor for unauthorized Windows services and firewall rule changes
- Block known C2 domains and proxy endpoints at the network perimeter
Source: Malwarebytes
