Threat Advisories

Fake 7-Zip Installers Used to Build Residential Proxy Botnet

Written by Integrity360 | Jul 9, 2026 2:28:51 PM

Security researchers have identified an ongoing campaign operated by a threat actor known as Lurking Lizard, which distributes trojanized versions of the popular 7-Zip archiving software. Victims who download installers from the malicious domain 7zip[.]com instead of the legitimate 7-zip[.]org unknowingly install malware that converts their systems into residential proxy nodes.
The malware allows third parties to route internet traffic through compromised devices, effectively turning victim systems into part of a commercial proxy network. Researchers have linked the activity to a wider ecosystem involving fake VPNs, counterfeit proxy services, fraudulent review websites, and more than 230 lookalike domains used for malware distribution and monetisation.

Threat Overview 

The campaign abuses user trust rather than exploiting software vulnerabilities. Victims are typically redirected to fake installers through search results, online tutorials, social media content, or typo-squatted domains that closely resemble legitimate software websites.


Once executed, the installer deploys a legitimate version of 7-Zip alongside hidden components that establish persistence, modify firewall configurations, and enrol the system in a residential proxy network. This allows external users to relay traffic through the victim's internet connection, potentially exposing the victim's IP address to malicious or suspicious activity.


Investigations have revealed that the operation extends beyond 7-Zip impersonation and includes fake installers for WhatsApp, VPN software, TikTok download utilities, YouTube downloaders, and other applications.


The malicious installer drops several components into:


C:\Windows\SysWOW64\hero\

The known files include:

  • Uphero.exe

  • hero.exe

  • hero.dll


The malware establishes persistence by creating Windows services that automatically start during system boot and operate with elevated privileges. It manipulates firewall rules using netsh commands to ensure uninterrupted communications with command-and-control infrastructure and update servers.
The primary payload, hero.exe, communicates with a network of "hero" and "smshero" domains to obtain configuration updates and proxy instructions. Communications are encrypted and utilise evasion techniques such as DNS-over-HTTPS, making network-based detection more difficult.


Researchers observed extensive anti-analysis functionality, including virtual machine detection, anti-debugging mechanisms, runtime API resolution, environment inspection, and encrypted configuration storage.


Business Impact


Organisations should consider any system that executed software obtained from 7zip[.]com or its related infrastructure to be compromised.


Compromised devices may:
•    Participate in proxy networks without user consent.
•    Facilitate malicious or unauthorized third-party activity.
•    Create legal or reputational risks due to abuse originating from corporate IP addresses.
•    Consume bandwidth and system resources.
•    Circumvent security monitoring through encrypted communications.
•    Serve as entry points for future malware deployment.


In enterprise environments, the operation could result in loss of network visibility, increased incident response costs, and potential attribution of malicious traffic to the organisation.


Indicators of Compromise (IOCs)


File Paths

  • C:\Windows\SysWOW64\hero\Uphero.exe

  • C:\Windows\SysWOW64\hero\hero.exe

  • C:\Windows\SysWOW64\hero\hero.dll

SHA-256 Hashes

  • e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 Uphero.exe

  • b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 hero.exe

  • 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 hero.dll

Known Domains

  • soc.hero-sms[.]co

  • neo.herosms[.]co

  • flux.smshero[.]co

  • nova.smshero[.]ai

  • apex.herosms[.]ai

  • spark.herosms[.]io

  • zest.hero-sms[.]ai

  • prime.herosms[.]vip

  • vivid.smshero[.]vip

  • mint.smshero[.]com

  • pulse.herosms[.]cc

  • glide.smshero[.]cc

  • svc.ha-teams.office[.]com

  • iplogger[.]org

  • 7zip[.]com

  • update.7zip[.]com

Observed Infrastructure

  • 104.21.57.71

  • 172.67.160.241

Host Indicators


Unexpected Windows services referencing:
C:\Windows\SysWOW64\hero\


Firewall rules named:

  • hero

  • Uphero

Mutex:

  • Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7

Detection Guidance


Security teams should review endpoint telemetry for the creation of services related to hero.exe or Uphero.exe, monitor for unauthorized firewall rule modifications, and investigate systems that recently downloaded software from unofficial 7-Zip sources.


Network defenders should search for communications involving known hero/smshero domains and inspect outbound traffic using non-standard proxy ports. Special attention should be given to hosts generating unusual volumes of encrypted outbound traffic or exhibiting DNS-over-HTTPS activity inconsistent with corporate policy.


Mitigation and Response


Immediately isolate any affected systems from the network. Conduct endpoint scans using enterprise security tools and verify that all malicious services, scheduled tasks, registry entries, and firewall modifications have been removed. Organisations should reset credentials used on impacted systems and review logs for evidence of lateral movement or additional payload deployment.


Users should only download software directly from legitimate vendor websites and should verify digital signatures before installation. Security awareness training should emphasize the risks associated with typo-squatted domains and software recommendations found in third-party tutorials or videos.


Recommendation


Organisations should block all known indicators associated with the Lurking Lizard campaign, conduct proactive threat hunting for proxyware activity, and educate users that the legitimate 7-Zip website is:


Any systems that installed software from 7zip[.]com should be investigated immediately to determine the extent of compromise and remove proxyware components before they can be leveraged for malicious activity.