Information Security 6 min read

Beware Fake 7‑Zip Installers: How a Trojan Turns Your PC into a Residential Proxy Bot

A malicious fake 7‑Zip installer masquerades as the legitimate open‑source archiver, silently deploying a Trojan that creates a residential‑proxy botnet, modifies system services and firewall rules, and can expose users to legal and privacy risks, while Windows Defender now flags it as Trojan:Win32/Malgent!MSR.

IT Services Circle

Feb 24, 2026

Beware Fake 7‑Zip Installers: How a Trojan Turns Your PC into a Residential Proxy Bot

Fake 7‑Zip Installer Overview

In early 2026, attackers began distributing counterfeit versions of the popular 7‑Zip archiver. The fake installer looks almost identical to the genuine one and even installs a fully functional 7‑Zip, but the package also contains a hidden Trojan. The difference from the legitimate installer is a single missing character "d" in the activation script, a detail that easily slips past most users.

Malicious Payload and Its Impact

According to Malwarebytes, the Trojan leverages users' trust in familiar software. Once executed, it drops a residential‑proxy malware suite that writes files such as hero.exe, Uphero.exe and hero.dll to C:\Windows\SysWOW64\hero\. These components register a system service with highest (SYSTEM) privileges, enable auto‑start on boot, and modify firewall rules via netsh to allow outbound traffic.

The malware includes virtual‑machine detection (targeting VMware, VirtualBox, etc.), anti‑debugging mechanisms, runtime API parsing, and process enumeration to evade analysis. Its primary purpose is to turn infected PCs into “money‑making” nodes: the compromised broadband and IP address are sold to black‑market operators who need residential IPs, allowing them to build large, rentable IP pools without owning servers.

Victims face several risks: legal liability if the IP is used for attacks or illicit activities, privacy breaches as the Trojan can expose cameras, NAS devices, and other networked hardware, and overall system security degradation. Microsoft has since added this Trojan to Windows Defender’s definition database, labeling it as Trojan:Win32/Malgent!MSR . Users should keep Windows Defender updated, scan for the hero directory, and remove any suspicious files.

Detection and Mitigation

To verify infection, check whether the folder C:\Windows\SysWOW64\hero\ exists. If present, run a full Windows Defender scan or use another reputable anti‑malware tool to remove the malicious components. Maintaining up‑to‑date security definitions is the most effective defense against this and similar supply‑chain attacks.