A malicious website impersonating the legitimate 7-Zip project is distributing a trojanised installer that covertly turns infected machines into nodes within a residential proxy network. The fake domain, 7zip[.]com, mimics the official 7-zip.org site and has been used to lure unsuspecting users, including those following online tutorials, into downloading the compromised installer. Alongside providing the expected archiving functionality, the installer silently deploys three malicious components that set up proxy services, modify firewall rules, and establish persistent system services to enable third parties to route internet traffic through victims’ computers.
Researchers from Malwarebytes analysed the installer and discovered it digitally signed with a revoked certificate and that it profiles host systems before communicating configuration data to attacker-controlled servers. The malware’s primary purpose is proxyware, enrolling infected hosts as proxies to facilitate malicious activities such as credential stuffing, phishing, and malware distribution while obscuring attacker traffic. The campaign uses advanced techniques, including rotating command-and-control domains, obfuscated communications, DNS-over-HTTPS, and checks for virtualised environments and debugging to evade detection. Further investigations revealed that this proxy malware campaign extends beyond the 7-Zip lure, also targeting users with trojanised installers of HolaVPN, TikTok, WhatsApp, and Wire VPN.