A newly uncovered malware campaign is exploiting the trusted reputation of 7-Zip, one of the world’s most popular open-source file compression utilities, to transform unsuspecting home computers into nodes in a vast proxy network. The scheme, detailed by cybersecurity firm Malwarebytes in a February 2026 threat intelligence report, represents a sophisticated evolution in how cybercriminals monetize compromised machines — not through ransomware or data theft, but by silently renting out victims’ internet connections to the highest bidder.
The campaign relies on a deceptively simple playbook: fake download pages that mimic the official 7-Zip website are promoted through search engine advertisements and SEO poisoning techniques, luring users who search for the free utility into downloading a trojanized installer. The malicious package does install a functional copy of 7-Zip, making the compromise nearly invisible to the end user, while simultaneously deploying a proxy agent that quietly routes third-party internet traffic through the victim’s IP address.
A Trojan Horse Hiding Inside a Legitimate Tool
According to Malwarebytes’ detailed analysis, the fake 7-Zip installers are distributed through carefully crafted websites that closely replicate the look and feel of the legitimate 7-Zip download page maintained by developer Igor Pavlov. The counterfeit sites use domain names that are slight variations of the real 7-zip.org address — employing techniques such as typosquatting and homograph attacks to fool even moderately cautious users. Some of the fraudulent domains were promoted through paid search advertisements on major search engines, meaning they appeared above organic results when users typed queries like “7-Zip download” or “7-Zip free download.”
The trojanized installer functions as a dropper. Upon execution, it extracts and installs the genuine 7-Zip application in the expected directory, ensuring the user sees exactly the behavior they anticipated. Simultaneously, it deploys a secondary payload — a lightweight proxy agent — that registers the compromised machine with a command-and-control infrastructure. Malwarebytes researchers noted that the proxy agent is designed for stealth, consuming minimal CPU and memory resources to avoid triggering performance-based suspicion from the user. The agent establishes an encrypted connection to its C2 server and awaits instructions to route traffic.
The Booming Underground Market for Residential Proxies
The economic logic behind this campaign is rooted in the explosive growth of the residential proxy market. Legitimate residential proxy services are used by businesses for ad verification, price comparison, and market research. However, cybercriminals have found that residential IP addresses — those assigned by internet service providers to home users — are extraordinarily valuable for conducting fraud, credential stuffing attacks, sneaker botting, and evading geographic restrictions on stolen accounts. Unlike data center IP addresses, residential IPs are far less likely to be flagged or blocked by security systems.
The underground market for residential proxies has matured into a multimillion-dollar industry. Services that aggregate bandwidth from compromised home computers sell access by the gigabyte, often advertising millions of available IP addresses across dozens of countries. As reported by Malwarebytes, the proxy agent deployed in this campaign appears to be affiliated with one such commercial proxy network, though researchers stopped short of naming the specific service pending further investigation. The implication is stark: victims are not merely having their computers compromised — their home internet connections are being packaged and sold as a commodity.
Search Engine Ads as an Attack Vector: A Growing Concern
The use of search engine advertising to distribute malware is not new, but it has accelerated dramatically over the past two years. Google, Microsoft, and other search providers have struggled to keep pace with threat actors who create convincing ad campaigns that pass initial review processes. In 2024 and 2025, multiple security firms documented campaigns that used Google Ads to push fake downloads of popular software including Notepad++, VLC Media Player, OBS Studio, and various GPU drivers. The 7-Zip campaign represents the latest and one of the more insidious entries in this growing catalog of malvertising operations.
The challenge for search engine companies is significant. Threat actors often use cloaking techniques — serving benign content to ad review crawlers while redirecting actual users to malicious download pages. They also frequently rotate domains and hosting infrastructure, making takedown efforts a perpetual game of whack-a-mole. For users, the problem is compounded by the fact that many people implicitly trust search results, particularly those that appear at the top of the page, not realizing that these positions can be purchased by anyone willing to pay.
Why 7-Zip Is a Particularly Attractive Target for Impersonation
7-Zip occupies a unique position in the software ecosystem that makes it especially vulnerable to this type of abuse. The utility is free, open-source, and does not require a license key or account creation — meaning there is no authentication step that might alert a user to a fraudulent download. Its official website, 7-zip.org, has a deliberately minimalist design that is trivially easy to replicate. Furthermore, 7-Zip is not distributed through a centralized app store on Windows, so users must navigate to a website to obtain it, creating the exact moment of vulnerability that this campaign exploits.
Igor Pavlov, the sole developer of 7-Zip, has historically maintained the project with minimal infrastructure. Unlike commercial software companies, there is no dedicated security team monitoring for brand impersonation or filing automated takedown requests against fraudulent domains. This asymmetry between the software’s enormous user base — estimated in the hundreds of millions — and its one-person development operation creates a gap that threat actors are eager to exploit.
The Technical Anatomy of the Proxy Agent
Malwarebytes’ technical teardown of the proxy agent revealed several noteworthy characteristics. The malware establishes persistence through a Windows service that is configured to start automatically on boot, using a generic service name that blends in with legitimate system processes. It communicates with its C2 infrastructure over HTTPS, making its traffic difficult to distinguish from normal web browsing when examined at the network level. The agent periodically checks in with the C2 server, reporting the machine’s available bandwidth and uptime, and receives instructions on which traffic to route and through which ports.
Researchers found that the proxy agent includes a self-update mechanism, allowing operators to push new versions without requiring the user to download anything additional. This capability suggests a mature operation with ongoing development resources. The agent also includes rudimentary anti-analysis features, such as checks for virtual machine environments and common security research tools, though Malwarebytes noted these were not particularly sophisticated compared to other malware families.
Protecting Yourself: Practical Steps for Home Users and IT Administrators
For individual users, the most critical defense is to verify the source of any software download. The official 7-Zip website is 7-zip.org, and users should type this address directly into their browser rather than clicking on search results or advertisements. Where possible, obtaining software through trusted package managers — such as the Windows Package Manager (winget), Chocolatey, or the Microsoft Store — eliminates the risk of landing on a fraudulent download page entirely. Malwarebytes also recommends that users running 7-Zip check their installed version against the official release and inspect their system for unfamiliar Windows services.
For enterprise IT administrators, the campaign underscores the importance of controlling software acquisition through centralized deployment tools and application whitelisting. Network monitoring for unusual outbound proxy traffic patterns can also help detect compromised endpoints. DNS filtering solutions that block known malvertising and typosquatting domains provide an additional layer of protection. As Malwarebytes emphasized, the stealthy nature of proxy malware means that traditional endpoint detection focused on high-impact threats like ransomware may overlook these lower-profile but still damaging infections.
The Broader Implications for Software Supply Chain Trust
This campaign is emblematic of a deeper problem facing the open-source software ecosystem. As free utilities become essential infrastructure for hundreds of millions of users, the gap between their popularity and the security resources available to protect their distribution channels widens. The 7-Zip campaign did not compromise the software’s source code or official distribution — it exploited the human moment of searching for and downloading the tool. Yet the effect is the same: users who believed they were obtaining a trusted utility instead received a compromised package that turned their home network into a tool for criminal enterprise.
The incident also raises uncomfortable questions about the responsibilities of search engine companies and advertising platforms. When paid advertisements for malware consistently appear above legitimate organic results, the platforms that profit from those ad placements bear some accountability for the resulting harm. Until the incentive structures change — whether through regulation, litigation, or more effective automated screening — users will continue to face the paradox of search results that are simultaneously the most convenient and the most dangerous way to find software online.