Security researchers have uncovered a malware campaign that abuses lookalike websites impersonating the popular 7-Zip utility to infect Windows computers and covertly enlist them into residential proxy networks, allowing third parties to route internet traffic through victims’ home systems.
The activity was documented in detailed research by cybersecurity software company Malwarebytes, which analyzed a trojanized installer distributed through a domain designed to closely resemble the legitimate 7-Zip project. The fake domain used 7zip[.]com, while the official 7-Zip software is hosted exclusively at 7-zip.org.
Unlike many malware campaigns that rely on obvious malicious files, this operation delivers a working version of the 7-Zip File Manager, reducing the likelihood that users notice anything wrong. The malicious payload is installed silently alongside the legitimate software during setup.
Once installed, the malware drops several files into a protected Windows system directory and establishes persistent Windows services running with elevated privileges. These services are configured to start automatically and survive system reboots.
In one case, a PC builder reported downloading the fake installer after following a YouTube tutorial that incorrectly linked to the impersonating site. The user only became aware of the issue weeks later, when Microsoft Defender flagged suspicious activity on the system.
Researchers identified the primary components as:
- a service loader and update mechanism
- a proxy payload responsible for handling network traffic
- a supporting library used by the malware
The malware also alters firewall rules to ensure uninterrupted network access and communicates with external command-and-control infrastructure over encrypted connections.
Further analysis showed that the malware’s primary purpose is proxyware. Infected systems are enrolled as residential proxy nodes, meaning their real IP addresses can be used by third parties to relay internet traffic. Residential proxies are often monetized for activities such as web scraping, fraud, ad abuse and anonymity laundering, and because the traffic originates from legitimate home connections, it’s harder for security systems to detect making them valuable to hackers.
Researchers linked the fake 7-Zip installer to a wider campaign using similar techniques across multiple software brands. Related malware samples shared consistent behaviors, infrastructure patterns, and code similarities, indicating a coordinated operation rather than an isolated incident.
The campaign employs rotating domains, encrypted communications, and multiple anti-analysis techniques designed to evade detection in virtual machines and security sandboxes.
While the malware does not appear to steal passwords directly, its ability to operate with system-level privileges and manipulate network traffic makes it a serious security concern. Malwarebytes reports that reputable security tools can detect and remove known variants, though users who installed software from 7zip[.]com are advised to treat affected systems as compromised.
It’s recommend to only download software from official project websites. Bookmarking trusted domains can help avoid typosquatting, or accidental typing of a real domain which could lead to an unrelated website.
Alsoo being cautious of tutorials or guides, which may link to third-party download sites
Utilizing cybersecurity software and monitoring systems for unexpected services or firewall rule changes can help you prevent issues and stop them in their tracks.
The campaign highlights how seemingly minimal mistakes, such as downloading software from an unofficial domain, can have security consequences. By relying on trusted brands rather than technical exploits, attackers can quietly establish long-term access to consumer systems, underscoring the importance of careful source verification even for widely used, everyday utilities.
Leave a Reply