A widespread malware campaign is using convincing copies of popular software websites to trick people into installing compromised applications that secretly convert their devices into residential proxy nodes. The campaign is particularly deceptive because victims still receive a working version of the software they expected. While the legitimate application installs normally, additional malware runs quietly in the background and connects the device to an attacker-controlled proxy network.
A Familiar Download Hides a Much Bigger Threat
Most people searching for utilities such as 7-Zip expect a quick and uncomplicated download. They enter the software name into a search engine, choose a website that appears legitimate and run the installer.
Attackers are taking advantage of that familiar behaviour.
The campaign uses more than 230 lookalike domains designed to resemble genuine software vendors and service providers. One of the most notable examples impersonates the official 7-Zip website by using a nearly identical domain that could easily be mistaken for the legitimate address.
Anyone arriving through a search result, online tutorial, advertisement or shared download link may believe they have reached the correct website.
Once the installer is opened, it delivers a functioning copy of 7-Zip. This lowers suspicion because the application appears to work as expected. Behind the scenes, however, the installer also deploys malware and begins registering the device as part of a residential proxy network.
How the Infection Unfolds
The attack follows a straightforward but highly effective sequence.
A user searches for familiar software and lands on a counterfeit download page. The site provides a modified installer that contains both the genuine application and a hidden malicious component.
After execution, the legitimate program is installed while the malware creates additional services or processes on the device. The compromised system is then connected to infrastructure controlled by the attackers.
From that point forward, third-party internet traffic can be routed through the victim's connection without their knowledge.
To outside websites and security systems, that activity may appear to originate from the victim's residential IP address rather than from the actual criminal operator.
Why Criminals Want Residential Internet Connections
Residential proxy networks are valuable because home and business internet addresses are often treated as more trustworthy than traffic coming from known hosting providers, virtual private servers or data centres.
Attackers can use these compromised connections to disguise activities such as:
The victim may never see these activities directly. However, their internet address becomes associated with traffic generated by strangers.
This can lead to unusual network congestion, slower internet performance, blocked access to websites or security alerts tied to activities the device owner never performed.
In more serious situations, the residential IP address could appear in investigations, abuse reports or threat-intelligence databases because malicious traffic was routed through it.
The Malware Is Designed to Avoid Immediate Suspicion
Many malware infections reveal themselves through obvious symptoms such as broken applications, pop-up advertisements or system instability.
This campaign is more subtle.
Because the expected software is installed successfully, the victim has little reason to investigate further. The application launches normally, and there may be no obvious indication that an additional service is running.
The proxy component can remain active in the background, quietly using the victim's bandwidth and internet identity.
This strategy is effective because it turns the legitimate software into part of the deception. The working application reassures the user that the download was genuine, even though the installer itself was compromised.
The Campaign Extends Beyond 7-Zip
Although fake 7-Zip installers are one of the main infection routes, the same infrastructure has been connected to counterfeit versions of other commonly searched applications and services.
These include fake installers or download pages imitating WhatsApp, WireVPN, TikTok download tools, YouTube downloaders and proxy providers.
The attackers have also created websites that appear to provide independent software or proxy-service reviews. These pages can direct visitors towards other malicious downloads while giving the operation a false appearance of legitimacy.
This wider network allows the attackers to target people with different interests rather than relying on a single software brand.
A user searching for a compression utility, messaging application, VPN service or media downloader could all be exposed to the same underlying infrastructure.
Windows, macOS and Android Users May All Be Targeted
The campaign is not limited to one operating system.
Modified installers and related infrastructure have been observed targeting Windows, macOS and Android users. This broader reach reflects how modern malware operations are increasingly designed to follow users across different devices and platforms.
Windows systems may remain the most attractive target because of their widespread use in homes and organisations, but Mac and Android users should not assume they are protected simply because they use a different platform.
The main risk begins before the operating system becomes relevant: the user is downloading software from an untrusted source.
Lookalike Domains Remain an Effective Trap
A fake website does not need to be identical to the real one. It only needs to look convincing long enough for a user to download the installer.
Attackers commonly rely on:
The malicious infrastructure documented in the advisory includes domains impersonating software vendors, VPN services and proxy providers, along with shared backend systems used to distribute payloads and manage traffic.
Some addresses are obviously suspicious when examined carefully, while others may look believable during a quick search.
That is why users should not rely only on the appearance of a website.
What Organisations Should Monitor
Businesses should pay particular attention to software downloads on employee devices, especially where users have local administrator access.
Security teams should investigate unexpected services, unfamiliar executables and unusual outbound connections that appear after new software has been installed.
The campaign has been associated with executable names such as hero.exe, uphero.exe, wire.exe and upwire.exe. These files were linked to primary payloads and service-management components used in the 7-Zip and WireVPN-related activity.
A single filename is not enough to confirm an infection, but its presence should justify further examination when combined with suspicious network behaviour or downloads from unofficial sites.
Organisations should also monitor for systems making repeated outbound connections to unfamiliar proxy, VPN or traffic-forwarding domains.
Downloading From the Official Source Is the Strongest First Defence
The simplest and most effective precaution is to obtain software directly from the official vendor.
Users should avoid third-party download portals unless the organisation has specifically approved them. Search advertisements, software review sites and tutorial links should also be treated carefully because they can lead to convincing imitation pages.
Before downloading, users should manually check the domain name and confirm that it matches the vendor's official website.
Bookmarks, managed software catalogues and enterprise deployment tools can reduce the need for employees to search the web for installers.
For commonly used applications such as 7-Zip, organisations may also distribute approved packages through central software-management platforms rather than allowing each user to download the program independently.
Security Controls That Can Reduce the Risk
Endpoint detection and response tools may help identify trojanised installers, unexpected services and suspicious proxy-related activity.
DNS filtering and secure web gateways can block known malicious domains before users reach them. Firewalls and proxy systems can also restrict access to newly registered or suspicious websites.
Application control provides another layer of protection by limiting which executables are allowed to run.
However, technology alone is unlikely to stop every incident. These websites are designed to exploit user trust, and new domains can appear faster than blocklists are updated.
Regular awareness training should therefore show employees how to recognise lookalike domains, verify software sources and report questionable downloads.
Unsupported or Personal Devices Can Create Additional Exposure
Corporate computers are not the only concern.
Employees may download software on personal laptops or phones that later connect to workplace networks, cloud accounts or business applications.
A compromised home device could expose credentials, browser sessions or remote-access tools even if the malware's primary purpose is proxy monetisation.
Organisations with bring-your-own-device arrangements should therefore establish clear requirements for approved software sources, endpoint protection and minimum security controls.
Residential proxy malware also creates a difficult boundary between personal and organisational risk. A device infected at home may later become a pathway into business systems.
Final Thoughts
The fake 7-Zip campaign demonstrates how malware distribution has evolved beyond obviously suspicious programs and broken applications.
Attackers are now delivering software that works exactly as the victim expects while quietly adding a second, hidden purpose. The user receives a genuine utility, but the device becomes part of a network that criminals can use to conceal their own activities.
The most important lesson is that a functioning application does not prove that the installer was safe.
Software should always be downloaded from verified vendor websites or trusted organisational repositories. Users should carefully inspect domain names, while businesses should monitor for unauthorised services, unexpected executables and unusual outbound traffic.
A few extra seconds spent verifying a download can prevent a device from becoming an invisible gateway for someone else's cybercrime.


Comments