Malwarebytes has published a deep dive into a campaign abusing a confusingly similar domain (7zip.com) to distribute a trojanized 7‑Zip installer — even though the legitimate project is hosted at 7-zip.org.

### What happened

- The malicious installer delivers a working copy of 7‑Zip File Manager to reduce suspicion.

- In parallel, it drops additional binaries (Uphero.exe, hero.exe, hero.dll) to **C:\Windows\SysWOW64\hero\**.

- Persistence is achieved by registering Windows services that run at boot.

### Why it matters

This is “proxyware” style malware: it enrolls victim devices as **residential proxy nodes**. That can be monetized for fraud, scraping, ad abuse, or anonymizing other malicious activity—using the victim’s IP address.

### Key technical details (high level)

- The installer is code-signed (using a certificate later revoked), which can help it appear trustworthy.

- The malware modifies firewall rules (via netsh) to keep its network traffic flowing.

- It profiles the host and communicates with command-and-control infrastructure, including via encrypted HTTPS and DNS-over-HTTPS.

### What users and admins should do

- Treat any install from **7zip.com** as potentially compromised and run a full security scan.

- Audit for suspicious services and unexpected firewall rules referencing **SysWOW64\hero\** paths.

- Educate teams and content creators to reference the correct download domain (**7-zip.org**).

**Source:** Malwarebytes threat intel write-up (linked below).