Fake 7-Zip: Malware Infection Risk – Download with Caution!

Users downloading 7-Zip may be unwittingly installing malware that turns their computers into proxy nodes, security researchers have warned. A convincing fake website, 7zip.com, is distributing a trojanized version of the popular archiving tool, effectively hijacking systems for malicious purposes. The legitimate 7-Zip project is hosted exclusively at 7-zip.org.

The campaign, which has been ongoing for some time, was recently highlighted after a PC builder shared their experience on Reddit’s r/pcmasterrace. They had downloaded 7-Zip from the fraudulent site following a YouTube tutorial, and subsequently encountered errors and a Trojan detection from Microsoft Defender. This incident underscores how easily users can be misled by domain name similarities and sophisticated website impersonation.

The malicious website closely mimics the appearance and content of the official 7-Zip site, making it difficult for casual users to distinguish between the two. Crucially, the downloaded installer includes a functional copy of 7-Zip alongside the concealed malware payload. This dual nature of the installer likely contributes to reduced user suspicion, as the archiving tool appears to operate normally.

According to Malwarebytes researchers, the installer is digitally signed with a certificate that has since been revoked, originally issued to Jozeal Network Technology Co., Limited. This signing initially lent a veneer of legitimacy to the malicious file. Once executed, the installer deploys several components:

• Uphero.exe: A service manager and update loader.
• hero.exe: The primary proxy payload, compiled using Go.
• hero.dll: A support library.

These files are installed in the ‘C:WindowsSysWOW64hero’ directory, and a Windows service is created to run the malicious executables as SYSTEM, granting them elevated privileges. Firewall rules are also modified to allow inbound and outbound connections, enabling the proxy functionality.

The core function of the malware is to turn infected computers into residential proxy nodes. These nodes are then rented out to third-party cybercriminals, who use them to route traffic and evade detection while carrying out malicious activities such as credential stuffing, phishing attacks, and malware distribution. Residential proxies are particularly valuable to attackers because they originate from legitimate IP addresses, making them more difficult to block than traffic from known proxy servers.

The rise in digital squatting – the practice of registering domain names similar to those of legitimate businesses – is contributing to the success of these types of attacks. Reports indicate a 68% surge in digital squatting cases over the past five years, reaching a record 6,200 disputes in 2025. This trend highlights the increasing difficulty of protecting brand names and preventing malicious actors from exploiting domain name confusion.

The incident serves as a stark reminder of the importance of verifying the authenticity of download sources. Users are strongly advised to only download software from official websites, and to carefully examine the URL before initiating a download. In the case of 7-Zip, the legitimate website is 7-zip.org. Paying attention to digital signatures and being wary of unexpected errors during installation can also help to mitigate the risk of infection.

The threat is not limited to individual users. The use of compromised residential proxies poses a broader risk to internet security, enabling malicious actors to operate with greater impunity. Security researchers are continuing to monitor the campaign and work to identify and disrupt the infrastructure used by the attackers. The incident underscores the need for vigilance and proactive security measures to protect against evolving cyber threats.

The malicious website, 7zip.com, was still active as of February 10, 2026, according to BleepingComputer, demonstrating the ongoing nature of the threat.