Trojanized 7-Zip Downloads Turn Home Computers Into Proxy Nodes

The emergence of proxyware hidden inside a ubiquitous compression tool underscores a shift in cybercriminal economics. Residential proxy nodes, harvested from unsuspecting home PCs, provide low‑cost, high‑anonymity pathways for illicit activities such as credential stuffing, ad fraud, and data exfiltration. By leveraging a compromised 7‑Zip installer, attackers can rapidly scale a botnet without the need for sophisticated exploit chains, relying instead on the trust users place in familiar software.

Supply‑chain hygiene has never been more critical as attackers exploit the weakest link: human error. The 7zip.com domain, a near‑identical copy of the legitimate 7‑zip.org site, was propagated through YouTube tutorial comments and Reddit threads, illustrating how content creators can unintentionally become distribution channels for malware. Users often overlook subtle URL differences and assume code‑signing certificates are trustworthy, making them vulnerable to such impersonation attacks. Educating end‑users to verify download sources, bookmark official sites, and scrutinize digital signatures can dramatically reduce exposure.

For organizations, the presence of unauthorized Windows services, unexpected firewall rule modifications, and outbound connections to known proxy C2 domains are strong indicators of compromise. Deploying endpoint detection and response (EDR) tools that flag anomalous process behavior, combined with network‑level blocking of proxy endpoints, can contain the threat. Moreover, integrating threat‑intel feeds that track emerging proxyware campaigns enables security teams to proactively disrupt the botnet’s command infrastructure, safeguarding both corporate assets and the broader internet ecosystem.