Cybercriminals are running a sneaky operation that uses a fake version of the popular 7-Zip archiving tool to compromise everyday home computers. Instead of just installing file compression software, victims unknowingly install malware that turns their machines into part of a residential proxy network.
The attack begins with a convincing trap: a website made to look like the official 7-Zip page. The domain closely resembles the real one, so users trust it and download what seems like a normal installer. The software appears to function properly, which helps the infection remain hidden.
The campaign surfaced after a user shared their experience online. While building a new PC and following a tutorial, they downloaded 7-Zip from the fake site. The system showed some strange errors, but nothing serious enough to stop usage. Nearly two weeks later, Microsoft Defender finally detected a generic trojan, revealing the compromise.
How the Fake Installer Hides the Malware
Security analysis revealed that the installer includes a legitimate copy of 7-Zip along with hidden malicious files. These components are placed in system folders that most users never check, helping them stay unnoticed. The installer was digitally signed, which made it appear trustworthy during installation — although that certificate has since been revoked.
After installation, the malware establishes strong persistence. It creates Windows services that launch automatically with high privileges every time the system starts. It also modifies firewall settings to ensure its traffic can move freely without being blocked.
Turning Infected PCs into Proxy Nodes
The malware collects system details such as hardware information and network configuration, then communicates with remote servers for instructions. Its main role is to convert infected devices into residential proxy nodes.
◆ Connects to attacker-controlled servers for commands
◆ Routes third-party internet traffic through the victim’s IP address
◆ Uses encryption and obfuscation to hide communications
◆ Operates over unusual network ports to avoid detection
This setup is typical of residential proxy services, where real home IP addresses are valuable. Criminals can rent this access for fraud, scraping websites, ad abuse, and other illicit activities — all traced back to the victim’s internet connection.
Anyone who downloaded 7-Zip from the fake site should assume their system is compromised. Security tools may remove known variants, but some users may prefer a full operating system reinstall for complete safety.
To reduce risk
Always download software from official sources, double-check domain names, and watch for unexpected system changes like unknown services or firewall rule modifications.
Organizations should also block known malicious domains and monitor outbound traffic to stop infected machines from contacting attacker infrastructure.
Leave A Comment