HN
Today

7zip.com Is Serving Malware

Fake 7-Zip downloads are turning home PCs into quiet residential proxy nodes, showcasing a new, stealthy monetization model for malware that bypasses traditional security assumptions. This story ignited discussion among Hacker News users about the precariousness of trusting online software sources and the challenges users face in verifying legitimate downloads amidst domain squatting. It highlights the evolving threat landscape where resource hijacking flies under the radar, forcing a re-evaluation of how we source and validate our everyday utilities.

89
Score
47
Comments
#16
Highest Rank
4h
on Front Page
First Seen
Feb 14, 5:00 PM
Last Seen
Feb 14, 8:00 PM
Rank Over Time
24162230

The Lowdown

Malwarebytes details a clever campaign exploiting the popularity of 7-Zip, redirecting users from the legitimate 7-zip.org to a lookalike 7zip.com which serves a trojanized installer. This sophisticated malware, known as "upStage Proxy," doesn't steal data or hold systems for ransom but rather silently converts infected machines into residential proxy nodes, monetizing unsuspecting users' bandwidth and IP addresses.

  • The malicious site 7zip.com distributed an installer that bundled a functional 7-Zip with a hidden payload, Authenticode-signed with a revoked certificate.
  • The malware components (Uphero.exe, hero.exe, hero.dll) install silently into C:\Windows\SysWOW64\hero\, establish persistence as Windows services with SYSTEM privileges, and manipulate firewall rules.
  • It profiles the host system, uses encrypted communications to command-and-control servers, and enrolls the machine into a network of residential proxies, allowing third parties to route traffic through the victim’s IP.
  • A key distribution vector identified was YouTube tutorials incorrectly linking to the fake domain, exploiting user trust in content ecosystems.
  • The "proxyware" model represents a distinct threat: rather than disruptive, it aims for long-term, stealthy resource exploitation, making it harder to detect with traditional security measures due to its non-obvious behavioral signatures.
  • Malwarebytes advises considering any system compromised if downloaded from 7zip.com and recommends verifying software sources, checking code-signing identities, monitoring system changes, and blocking known C2 domains.

This incident underscores a concerning trend where threat actors leverage brand impersonation and subtle, persistent malware to build monetization infrastructure, demonstrating that trust and vigilance are increasingly critical defenses against evolving cyber threats.

The Gossip

Domain Dilemmas & Verification Vexations

The primary concern revolved around the confusion between the official `7-zip.org` and the malicious `7zip.com`. Commenters discussed the difficulty for average users to discern legitimate download sources, especially with SEO manipulation and misleading online tutorials. While some pointed out that modern browsers and Google search results often flag the fake site, others highlighted the general challenge of verifying software authenticity, suggesting solutions like package managers (`winget`) or cross-referencing Wikipedia.

Proxyware's Pervasive Peril

Many found the core business model of the malware – turning PCs into residential proxy nodes – to be the most significant takeaway. Unlike traditional malware (ransomware, data theft), proxyware is designed for silent, long-term resource exploitation, making it less disruptive but insidious. This subtle operation, impacting bandwidth and system performance without overt signs, was seen as a "different threat model" that traditional endpoint protection might struggle to identify due to its normal-looking network activity.

7-Zip's Peculiar Policies

The discussion veered into criticisms of the official 7-Zip author's long-standing practices, specifically the refusal to digitally sign releases or provide hashes, and the historical avoidance of modern security hardening features like ASLR. This stance, seen by some as an "odd flex," was viewed as contributing to the potential for impersonation. Consequently, alternatives like NanaZip (a fork with "modern Windows features") were mentioned as more secure or up-to-date options.

Treasonous Tutorials & Dubious Digital Advice

A recurring sentiment was distrust in online tutorials, particularly those found on YouTube, as unwitting vectors for malware distribution. Commenters lamented the decline in quality and the difficulty of discerning reliable information in a sea of potentially harmful or misleading content, noting that the ability to "downvote the bad ones" was sorely missed.