ANDRI.BLOG
Security
7 min read

That Download Link Might Be a Trap

A fake 7-Zip website is turning computers into proxy nodes. Here's how to spot fake download sites before you install malware.

Someone followed a YouTube tutorial on building a PC. The video linked to 7zip.com for the compression tool. Reasonable enough — that's what you'd expect the URL to be.

Except the real 7-Zip lives at 7-zip.org. The .com version? That's a fake site distributing malware. The installer works perfectly — it actually installs 7-Zip — but it also quietly turns your computer into a node in a residential proxy network.

The malicious site is still live right now. It looks almost identical to the real one. And this isn't an isolated case — researchers found the same attackers running fake installers for HolaVPN, TikTok, WhatsApp, and Wire VPN.

This happens constantly. Let's talk about how to avoid it.

What's a Residential Proxy (And Why Should You Care)?

When criminals want to do sketchy things online — credential stuffing, scraping, fraud, distributed attacks — they need to hide their real IP addresses. Datacenter IPs get blocked quickly. But traffic from a residential connection? That looks like a normal person browsing the web.

That's where you come in.

The malware installed by these fake sites enrolls your computer in a proxy network. Your internet connection gets used to route other people's traffic. Your IP shows up in logs when they're attacking something. Your bandwidth gets consumed. And you have no idea it's happening.

From the outside, you look like the attacker.

How the Fake 7-Zip Attack Works

The attackers registered 7zip.com and copied the layout of the real 7-Zip website. Unless you look carefully at the URL, you'd never notice the difference.

When you download and run the installer:

  1. It actually installs 7-Zip — The program works. You get real, functional compression software. No red flags.

  2. It drops three extra files — Hidden in your system folders, the malware quietly installs itself as a Windows service running with SYSTEM privileges.

  3. It modifies your firewall — Using Windows' built-in tools, it opens up inbound and outbound connections for its proxy payload.

  4. Your computer becomes a proxy node — The malware phones home, gets its configuration, and starts routing traffic through your connection.

The malware is signed with a (now-revoked) digital certificate, which helps it slip past some security tools. It uses DNS-over-HTTPS through Google's servers to hide its traffic from network monitoring. It even checks if it's running in a virtual machine and shuts down if it detects analysis tools.

These aren't amateurs.

This Pattern Is Everywhere

Fake software download sites are one of the oldest tricks in the book, and they're still working. The approach is always the same:

Register a plausible domain. The real VLC player is at videolan.org. Attackers register vlc.com, vlc-player.com, download-vlc.com. The real 7-Zip is at 7-zip.org. Attackers grab 7zip.com.

Copy the real website. It takes about five minutes to clone a website's appearance. Most people don't check beyond "does this look right?"

Trojanize the installer. The malware includes the real software, so it works. The victim gets what they wanted. They just also get something extra.

Distribute through trusted channels. YouTube tutorials. Sponsored search results. Forum recommendations. Anywhere people go looking for download links.

I've seen this with:

  • VLC (endless fake sites)
  • 7-Zip (current campaign)
  • OBS Studio (streaming software)
  • Notepad++ (fake sites pushing infostealers)
  • GIMP (image editor)
  • Audacity (audio editor)
  • Handbrake (video converter)

Basically, any popular free software. If people search for it, someone's running a fake site for it.

How to Download Software Safely

Here's my approach. It's a bit paranoid, but paranoid keeps you clean.

1. Know the Official Domain

Before you search for anything, figure out where it actually lives:

SoftwareOfficial Site
7-Zip7-zip.org
VLCvideolan.org
OBS Studioobsproject.com
Notepad++notepad-plus-plus.org
GIMPgimp.org
Audacityaudacityteam.org
Firefoxmozilla.org
LibreOfficelibreoffice.org
KeePassXCkeepassxc.org

Notice the pattern? Legitimate projects usually use .org domains. They're not sitting on premium .com domains (those cost money that open-source projects don't have).

2. Don't Trust Search Results

This is crucial. The top results on Google aren't always legitimate.

Attackers buy ads for software names. "Download 7-Zip" might show a sponsored result pointing to a malicious site before the real one appears. Google has gotten better at catching these, but they still slip through.

Go directly to the official domain. Type it yourself. Don't click a search result unless you've verified it matches the official site.

3. Never Follow Links from YouTube or Forums

That helpful tutorial? The forum post with "working download link"? Could be malicious. Could be an old link that got hijacked. Could be affiliate-stuffed garbage.

Find the official source yourself. Every time.

4. Use Package Managers When Possible

If you're on Windows, winget comes built in:

winget install 7zip.7zip
winget install VideoLAN.VLC
winget install Notepad++.Notepad++

On macOS, use Homebrew:

brew install --cask 7-zip
brew install --cask vlc

Package managers download from verified sources. You don't have to worry about fake websites because you're not visiting websites at all.

5. Check the Download Before Installing

After downloading but before running:

  • Right-click → Properties → Digital Signatures — Legitimate software is usually signed. 7-Zip should be signed by Igor Pavlov. VLC should be signed by VideoLAN.

  • Scan with VirusTotal — Upload the installer to virustotal.com and see if any engines flag it. (The fake 7-Zip was flagged by several.)

  • Check the file hash — Official sites often publish SHA256 hashes. Compare yours to theirs.

6. Bookmark Your Software Sources

This is the simplest fix. Once you've verified the real site, bookmark it. Next time you need an update, use the bookmark instead of searching.

I have a bookmarks folder called "Software" with verified download pages for everything I use regularly.

What If You Already Installed Something Suspicious?

If you downloaded software from a questionable source:

  1. Check your running services — Open Task Manager → Services tab. Look for anything unfamiliar, especially services running as SYSTEM that you don't recognize.

  2. Check your startup programs — Settings → Apps → Startup. Disable and investigate anything you don't recognize.

  3. Run a scan — Malwarebytes (free version works fine) is good at catching proxyware and adware that Windows Defender might miss.

  4. Check your firewall rules — Windows Security → Firewall → Advanced settings. Look for rules you didn't create, especially allowing inbound connections.

For the specific 7-Zip malware, look for:

  • Files in C:\Windows\SysWOW64\hero\
  • Services named "Uphero" or containing "hero"
  • Firewall rules for hero.exe or uphero.exe

If you find any of that, you've got it. Remove the files, delete the service, reset your firewall rules, and change any passwords you've used while infected.

The Actual Lesson

The internet runs on trust, and attackers exploit that trust constantly. They register domains that look right. They copy websites that look authentic. They bundle malware with software that actually works.

Your defense is simple: slow down and verify.

Before you download anything, take ten seconds to confirm you're on the official site. Use package managers when you can. Don't click links from random sources.

It's not complicated. It just requires you to pause before you click.

Sources: Malwarebytes, BleepingComputer

▸ TAGS
#security#malware#downloads#typosquatting#7-Zip
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES