In early February 2026, cybersecurity researchers uncovered a deceptive and dangerous new threat in the wild: a fraudulent download site impersonating the well-known open-source archiving tool 7-Zip is distributing an installer that has been laced with a hidden malicious payload.
The campaign, which exploits trust in a trusted software brand name, turns unsuspecting users’ Windows computers into residential proxy nodes that can be used for criminal activity such as bypassing security blocks, credential stuffing, and other illicit operations.
Threat actors registered a lookalike domain, 7zip[.]com, and copied the content and layout of the legitimate 7-Zip website to fool users into believing they were downloading a safe, legitimate tool. Once installed, this trojanized package installs the real 7-Zip application, so the user experience feels normal, but it also drops multiple hidden malicious components into the system.
Security firm Malwarebytes’ analysis found that three key files are installed alongside the legitimate software:
- Uphero.exe, a service manager and update loader
- hero.exe, the main proxy payload
- hero.dll, a supporting library
These components are placed into the Windows system directory and configured to run as persistent services with SYSTEM privileges. The malware also makes unauthorized changes to firewall rules, allowing it to communicate freely with remote control servers and enroll the machine into a larger residential proxy network for the attacker’s use.
Because many businesses rely on trusted tools like 7-Zip in their workflows, this incident shows how attackers increasingly use brand trust against organizations and individuals. In this case, users following a YouTube PC-build video linked to the fake domain were tricked into installing malware without realizing it.
Why This Matters to Your Business
Malicious proxyware like this doesn’t directly steal your files or encrypt your systems, but it can seriously undermine your security posture:
- Compromised Devices Become Tools for Attackers – Once a machine becomes part of a proxy network, attackers can route harmful traffic through your IP addresses, masking their activity and evading controls.
- Your Network Reputation Is At Risk – If your systems are used to support credential stuffing attacks or facilitate other crimes, your domain and IPs could be blacklisted or penalized by other networks.
- Traditional “Detect and Respond” Tools May Be Too Slow – Standard endpoint solutions often rely on identifying known malware signatures or behavioral anomalies before responding, which can be too late for threats carefully designed to evade detection.
What’s more, this trend of threat actors bundling malware into seemingly harmless installers underscores a broader shift in tactics: cybercriminals increasingly leverage social engineering and brand impersonation to spread their tools. Resolving these kinds of threats requires more than just reacting after they’re found; it needs proactive isolation and containment strategies that stop malicious behavior before it can establish persistence or communicate with external infrastructure.
Moving Beyond Detect and Respond
Many traditional endpoint protection platforms focus on “detect and respond.” That means they attempt to identify malicious code after it executes and then try to contain or remediate the threat. But as this incident shows, by the time detection occurs, significant damage can already be done, your machine might already be part of a criminal proxy network, and your organization could be at risk of larger follow-on attacks.
AppGuard takes a different approach. Instead of waiting for threats to be detected, it uses isolation and containment principles to prevent unauthorized or dangerous actions at the endpoint in the first place. Because AppGuard enforces strict controls on what code can interact with critical system functions, even novel or unknown malware can be stopped from ever gaining a foothold. Over its ten-year track record, AppGuard has consistently demonstrated that this paradigm is far more effective at preventing real-world threats than reactive detection alone.
Whether it’s trojanized installers, malicious proxies, supply chain attacks, or zero-day exploits, business endpoints are under constant attack. Waiting until a threat is detected is a risk your organization cannot afford.
Protect Your Business Today
If you are a business owner or IT leader and want a modern endpoint protection solution that stops threats before they execute and prevents unauthorized system modifications, it’s time to talk with us at CHIPS. Learn how AppGuard can help your organization move beyond legacy “detect and respond” tools and adopt a proactive isolation and containment strategy that stops incidents like the fake 7-Zip installer in their tracks.
Contact CHIPS today to secure your environment with AppGuard and ensure your systems stay protected against evolving cyber threats.
Like this article? Please share it with others!
Comments