The PC Security Channel

How Stealthy Was the 7zip Malware and How to Spot It?

The video dives into the Trojan‑laden 7‑Zip installer that was being served from the look‑alike domain 7zip.com, showing how the malicious package mimics the legitimate 7‑Zip setup while silently dropping a back‑door. In the Any.run sandbox the analyst observed that the installer runs normally, then drops “uphero.exe”, which immediately creates an outbound Windows firewall rule via netsh to allow traffic to the command‑and‑control server. Network traces reveal only DNS queries to heroSMS.co, and the malware relies on native Windows utilities (cmd.exe, netsh) to avoid detection, resulting in almost no anomalous process activity. The presenter highlights a screenshot of the firewall rule (“uphero” outbound allow) and notes that the C2 domain is predominantly seen in reports from MSSPs in the US, Japan and Germany. He also warns that AI tools like ChatGPT can inadvertently recommend the compromised installer, and that encrypted HTTPS/DNS‑over‑HTTPS further obscures malicious traffic. For enterprises and end‑users the takeaway is clear: always verify download sources, routinely audit outbound firewall rules for unknown entries, and employ sandbox services such as Any.run to vet executables before deployment. Proactive monitoring can prevent stealthy proxyware from persisting in corporate environments.