Security researchers have documented a campaign abusing a convincing lookalike domain for the popular 7‑Zip utility.

## What happened

- Attackers used 7zip[.]com to distribute a trojanized 7‑Zip installer (the legitimate project is hosted at 7-zip.org).

- The installer delivers a working 7‑Zip File Manager to avoid suspicion, while silently dropping additional components into `C:\Windows\SysWOW64\hero\`.

## What the malware does

- Establishes persistence by registering auto-start Windows services.

- Manipulates firewall rules via `netsh` to allow its binaries.

- Profiles the host via WMI/Windows APIs.

- Enrolls the machine as a residential proxy node, enabling third parties to route traffic through the victim’s IP.

## Why it matters

Proxyware infections can be “quiet” but harmful: they can degrade performance, create privacy risk, and get the victim’s IP reputation burned by abuse routed through it (fraud, scraping, ad abuse).

## Defensive guidance

- Treat systems that executed installers from 7zip.com as compromised and investigate.

- Check for suspicious services and binaries under the `hero` directory.

- Reinstall from trusted sources and consider OS rebuild for high-risk environments.