A fraudulent website impersonating the official 7-Zip project is currently distributing a compromised installer that transforms victim computers into residential proxy nodes. This malicious campaign uses cloned web design and deceptive domain names to trick users into installing software that routes third-party traffic through their home internet connections.

A fake website, 7zip.com, has been identified as a source for a trojanized version of the 7-Zip archiving tool. While the software appears to function normally for the user, the installer secretly deploys several malicious files into the Windows system directory and creates an auto-start service with system-level privileges. To ensure the proxy can operate without interference, the malware automatically modifies Windows firewall rules and profiles the host machine's hardware and network characteristics to report back to the attackers.

Security researchers discovered that this malware is designed to enroll infected hosts into a residential proxy network, which allows anonymous third parties to mask their activities using the victim's IP address. The malware utilizes sophisticated evasion techniques, such as using encrypted communication protocols and DNS-over-HTTPS to hide its traffic from standard network monitoring tools. It also includes built-in checks to detect if it is being run in a virtual machine or a debugger, which helps it avoid detection by cybersecurity analysts.

Further investigation revealed that this operation is not limited to 7-Zip but is part of a much larger campaign targeting various popular applications. Similar malicious installers have been found for platforms like TikTok, WhatsApp, and several VPN services, all utilizing a rotating infrastructure of command-and-control domains. The attackers often lure victims through deceptive YouTube tutorials and promoted search results, capitalizing on the trust users place in familiar software brands to spread the infection across a wide user base.

To defend against such threats, users are advised to verify that they are downloading software only from official, legitimate domains and to avoid links provided in social media descriptions or unofficial guides. Security experts recommend bookmarking known-good download portals to prevent landing on lookalike sites. This campaign serves as a reminder that even basic utility software can be weaponized to turn personal devices into tools for broader cybercriminal activities without the owner's knowledge.

Source: Malicious 7-Zip Website Distributes Installer Bundled With Proxy Tool