YouTube tutorials spread fake 7-zip downloads as brand impersonation and domain mix-ups put PCs at risk

Published: 10 February 2026
7zip
Image by Cybernews

A fake version of the popular 7-zip download is secretly hijacking home computers and using them to route criminal internet traffic, in a campaign that researchers say has been running undetected for some time.

The threat recently gained attention after a user report on reddit found attackers were impersonating the legitimate software site and distributing a trojanised installer.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

One case surfaced after a PC builder followed a YouTube tutorial and downloaded 7-Zip from 7zip[.].com, not realizing the official project is hosted at 7-zip.org.

The user took to reddit two weeks later, after a Microsoft Defender alerted them to a generic detection: Trojan:Win32/Malgent!MSR.

This fake 7-zip domain, it turned out, exposed their system to long-term hidden misuse.

The installer appeared legitimate (it was authenticode‑signed) even carrying a signed certificate,issued (but later revoked) to ‘Jozeal Network Technology Co., Limited’.

However, as reported on malwarebytes, it quietly installed additional components designed to persist on the machine and communicate with attacker-controlled servers.

These included Uphero.exe — a service manager and update loader; hero.exe — the primary proxy payload (Go‑compiled) and hero.dll — a supporting library.

“Proxyware” for criminal networks

According to researchers who worked on the analysis — Luke Acha, s1dhy and and Andrew Danis — the malware’s main role is “proxyware” — turning infected devices into residential proxy nodes, allowing criminals to route traffic through the victim’s IP address.

ADVERTISEMENT

This could potentially allow bad actors to mask their identity and use the IP addresses for fraud, scraping and abuse or other illicit activity.

YouTube TV
Brand impersonation and small domain mix-ups can have serious impact, especially when reinforced by video tutorials.

The campaign also highlights how brand impersonation and small domain mix-ups can have serious consequences, especially when reinforced by tutorials or guides that reference the wrong website.

The operation appears broader than a single fake installer. Related files using names such as upHola.exe, upTikTok, UpWhatsapp, and upWire share the same techniques and infrastructure, suggesting an organised proxy network built from compromised home machines.

Users and security operators are advised to verify software sources and bookmark official project domains; treat unexpected code‑signing identities with suspicion; monitor for unauthorized Windows services and firewall rule changes; block known C2 domains and proxy endpoints at the network perimeter.

This 7-Zip campaign is a different type of threat (impersonation via fake installer) as opposed to the recent widespread exploitation of actual vulnerabilities in the WinRAR software.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT