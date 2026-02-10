A trojanized version of the popular 7-Zip software is quietly turning home computers into residential proxy nodes, Malwarebytes warns.

Spurred by a Reddit post in which a user complained about getting infected with malware after downloading 7-Zip from 7zip[.]com instead of the legitimate 7-zip.org, Malwarebytes researchers looked into the matter and found that the malicious installer functions as 7-zip, but also silently drops additional payloads onto the system.

Further analysis showed the malware’s primary role was proxyware, with infected systems used as residential proxy nodes that allow third parties to route traffic through the victim’s IP address.

The malware employs multiple measures designed to avoid detection, such as checking its environment for signs that it is being analyzed or monitored before running.

“Any system that has executed installers from 7zip[.]com should be considered compromised,” Stefan Dasic, manager of research and response at Malwarebytes, warned.

Be careful when downloading software

The user who complained about installing the trojanized 7zip ended up on the malicious lookalike website after following a link from a comment on a YouTube tutorial for a new 7zip build.

“The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain. This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale,” noted Dasic.

End users are urged to be careful when downloading software. “Verify software sources and bookmark official project domains. Treat unexpected code‑signing identities with skepticism,” Dasic advised.

Enterprise defenders should also monitor for unauthorized Windows services and firewall rule changes and block known C2 domains and proxy endpoints at the network perimeter.

Malwarebytes also linked the 7-Zip impersonation to a broader proxyware distribution operation, by identifying related binaries referencing Hola (VPN/Proxy unblocker), Tiktok (social media), Whatsapp and Wire (messaging apps).