Fake 7-Zip Downloads are Turning Home PCs into Proxy Nodes
Summary:
In early 2026, a sophisticated malware campaign was identified targeting users of the popular open-source archiver 7-Zip by utilizing a highly convincing lookalike website, 7zip[.]com. Unlike the legitimate project hosted at 7-zip[.]org, this fraudulent domain distributed a trojanized version of the software. While the installer successfully provided the functional 7-Zip file manager, it simultaneously dropped a concealed Go-compiled payload known as "hero[.]exe" and a service manager "uphero[.]exe." This operation, dubbed upStage Proxy, focused on stealthy monetization rather than traditional data destruction or theft.
Security Officer Comments:
The primary impact of this campaign is the silent conversion of home and corporate PCs into residential proxy nodes. By establishing outbound connections to command-and-control (C2) servers on non-standard ports, the malware allows third parties to route their internet traffic through the victim’s IP address. This access is typically sold to actors looking to conduct ad fraud, credential stuffing, web scraping, or to mask malicious activity behind legitimate consumer IPs. For the victim, this results in degraded network performance, potential IP blacklisting, and the severe risk of their identity being associated with illegal online activities conducted by the proxy's "customers.”
7-Zip has a long history of being abused by threat actors due to its ubiquity and trusted reputation. Historically, attackers have used the utility's command-line version to automate the encryption of files during ransomware attacks or to compress large volumes of stolen data for stealthy exfiltration.
More recently, in 2024 and 2025, several critical vulnerabilities (such as CVE-2025-0411 and CVE-2025-11001) were discovered that allowed for Mark-of-the-Web (MotW) bypass and Remote Code Execution (RCE). These flaws enabled attackers to bypass Windows security warnings or write malicious files outside of intended directories during extraction, proving that even "clean" versions of the tool can be weaponized if not regularly patched.
Suggested Corrections:
To mitigate these risks, users must ensure they only download software from the official project domain, 7-zip[.]org. Organizations should implement application allowlisting and Ringfencing to restrict 7-Zip's ability to interact with sensitive directories or establish unauthorized network connections.
Because 7-Zip lacks an automatic update mechanism, manual patching or the use of centralized patch management tools is essential to defend against newly discovered vulnerabilities.
Additionally, network administrators should monitor for unauthorized firewall rule changes and suspicious outbound traffic on non-standard ports, which are hallmark signs of a proxy infection.
A list of indicators of Compromise (IOCs) are included in MalwareByte’s report.
Link(s):
https://www.malwarebytes.com/blog/t...wnloads-are-turning-home-pcs-into-proxy-nodes
In early 2026, a sophisticated malware campaign was identified targeting users of the popular open-source archiver 7-Zip by utilizing a highly convincing lookalike website, 7zip[.]com. Unlike the legitimate project hosted at 7-zip[.]org, this fraudulent domain distributed a trojanized version of the software. While the installer successfully provided the functional 7-Zip file manager, it simultaneously dropped a concealed Go-compiled payload known as "hero[.]exe" and a service manager "uphero[.]exe." This operation, dubbed upStage Proxy, focused on stealthy monetization rather than traditional data destruction or theft.
Security Officer Comments:
The primary impact of this campaign is the silent conversion of home and corporate PCs into residential proxy nodes. By establishing outbound connections to command-and-control (C2) servers on non-standard ports, the malware allows third parties to route their internet traffic through the victim’s IP address. This access is typically sold to actors looking to conduct ad fraud, credential stuffing, web scraping, or to mask malicious activity behind legitimate consumer IPs. For the victim, this results in degraded network performance, potential IP blacklisting, and the severe risk of their identity being associated with illegal online activities conducted by the proxy's "customers.”
7-Zip has a long history of being abused by threat actors due to its ubiquity and trusted reputation. Historically, attackers have used the utility's command-line version to automate the encryption of files during ransomware attacks or to compress large volumes of stolen data for stealthy exfiltration.
More recently, in 2024 and 2025, several critical vulnerabilities (such as CVE-2025-0411 and CVE-2025-11001) were discovered that allowed for Mark-of-the-Web (MotW) bypass and Remote Code Execution (RCE). These flaws enabled attackers to bypass Windows security warnings or write malicious files outside of intended directories during extraction, proving that even "clean" versions of the tool can be weaponized if not regularly patched.
Suggested Corrections:
To mitigate these risks, users must ensure they only download software from the official project domain, 7-zip[.]org. Organizations should implement application allowlisting and Ringfencing to restrict 7-Zip's ability to interact with sensitive directories or establish unauthorized network connections.
Because 7-Zip lacks an automatic update mechanism, manual patching or the use of centralized patch management tools is essential to defend against newly discovered vulnerabilities.
Additionally, network administrators should monitor for unauthorized firewall rule changes and suspicious outbound traffic on non-standard ports, which are hallmark signs of a proxy infection.
A list of indicators of Compromise (IOCs) are included in MalwareByte’s report.
Link(s):
https://www.malwarebytes.com/blog/t...wnloads-are-turning-home-pcs-into-proxy-nodes