Fake 7-Zip downloads are turning home PCs into proxy nodes
Summary
Malwarebytes reports a campaign where fake 7-Zip downloads from a lookalike domain deliver trojanized installers that transform infected machines into residential proxy nodes. The attack uses Authenticode-signing with a revoked certificate, installs multiple components (Uphero.exe, hero.exe, hero.dll) under System, persists via services, and alters firewall rules to maintain access and updates. Researchers attribute the operation to a broader proxyware network and provide IOCs, domain indicators, and mitigation steps.