A deceptive website, cleverly mimicking the popular file archiver 7-Zip, has been distributing malware that silently takes over Windows PCs. This malicious site, 7zip[.]com, has been flagged by security experts and antivirus providers, including Malwarebytes, as a significant threat. The official 7-Zip website, 7-zip.org, is distinct and should not be confused with the fraudulent .com version. Security researchers in Japan also identified the threat last month, highlighting the urgency of the situation. The .com domain was previously up for sale, and it began hosting 7-Zip downloads around December 2023, according to the Internet Archive. 7-Zip's developer, Igor Pavlov, has explicitly disavowed any connection to the .com domain, warning users not to trust or use it. The malware, cleverly disguised as a functional file-archiving tool, includes a concealed payload that modifies 7zfm.exe and deploys three additional files (Uphero.exe, hero.exe, and hero.dll) to spread the infection. During the installation process, the malware exhibits backdoor-style capabilities, enrolling the infected PC as a residential proxy node, enabling third parties to route traffic through the victim's IP address. This proxy network can be exploited by cybercriminals, who may sell access to fuel their illicit activities. The malware's techniques are similar to other Trojans, such as upHola.exe, upTiktok, upWhatsapp, and upWire, and it references VPN and proxy brands in its code. Despite the threat, many mainstream antivirus engines can detect and remove the malware. Malwarebytes advises users to be cautious when downloading software, especially after encountering recommendations from seemingly benign sources like YouTube videos. This incident underscores the importance of verifying the authenticity of software downloads and staying vigilant against potential security risks.
