Fake 7-Zip Download Turns Your PC Into a Secret Proxy for Cybercriminals
Subtitle: A deceptive website mimicking 7-Zip is infecting unsuspecting users with proxyware, hijacking home internet connections for shady online operations.
It started with a simple YouTube tutorial-just another PC-building guide among thousands. But for one viewer, a click on a convincing "7-Zip" download link led to something far more sinister than a file archiver. Behind the familiar interface lurked a silent hijacker, recruiting home computers into an invisible army for cybercriminals worldwide.
Fast Facts
- Threat actors set up a fake 7-Zip website at 7zip[.]com, distributing malware-laced installers.
- Infected PCs are turned into residential proxy nodes, allowing criminals to route malicious traffic through victims’ IP addresses.
- The malware mimics legitimate software, even providing full 7-Zip functionality to avoid suspicion.
- The campaign extends beyond 7-Zip, targeting users of HolaVPN, TikTok, WhatsApp, and Wire VPN with similar tactics.
- Firewall rules and system services are modified to ensure persistent, stealthy operation.
For years, 7-Zip has been a trusted staple for file compression. But the recent emergence of 7zip[.]com-a near-perfect replica of the official site-has turned that trust into a weapon. The fraudulent domain, still live as of this writing, lures users seeking free software with a trojanized installer signed with a now-revoked certificate. Researchers at Malwarebytes discovered that this installer not only delivers the authentic 7-Zip program, but also drops a trio of malicious files deep within the Windows system directory.
The real payload: proxyware that quietly enrolls the infected computer into a residential proxy network. Once active, the malware modifies Windows firewall rules, creates persistent system services, and profiles the machine using advanced Windows tools. All this information is sent off to a shadowy server, while the victim’s IP address becomes a conduit for credential stuffing, phishing, and further malware attacks-activities that are nearly impossible to trace back to the criminals themselves.
The operation is highly sophisticated. Control servers rotate domains and communicate over encrypted channels, leveraging Cloudflare and DNS-over-HTTPS to evade detection. The malware even checks for signs of virtual machines or analysis tools, making life difficult for security researchers. But independent analysts and forensics experts pieced together the puzzle, revealing a campaign that stretches far beyond 7-Zip, targeting other popular apps to ensnare more victims.
For users, the lesson is stark: cybercriminals are capitalizing on trust and convenience, exploiting even the most routine downloads. Bookmarking official software sites and avoiding links from YouTube tutorials or sponsored search results is no longer just good advice-it's essential self-defense in a world where every click could open the door to invisible exploitation.
Conclusion
Behind the guise of everyday software, a silent war is raging for control of our digital lives. As attackers grow bolder and more cunning, vigilance is our first-and sometimes only-line of defense. The next time you download a familiar tool, remember: even the safest-seeming link might be the start of someone else’s criminal campaign, running quietly on your own machine.
WIKICROOK
- Residential Proxy: A residential proxy uses a real home IP address to make online activity appear as if it comes from a genuine user, masking the true source.
- Trojanized Installer: A Trojanized installer is a seemingly legitimate software package altered to secretly install malware alongside the intended program.
- Firewall Rules: Firewall rules are digital instructions that control what data can enter or leave a network, helping block intruders and protect against cyber threats.
- DNS: DNS translates website names into IP addresses, letting browsers find sites easily. Encrypted DNS (DoH) adds privacy by hiding your lookups.
- Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.




