← Back to Cybersecurity News Center
Severity
MEDIUM
CVSS
5.0
Priority
0.175
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A threat actor created a fake website impersonating the official 7-Zip project to distribute a trojanized installer that silently deploys proxyware on Windows machines. Any employee who downloaded 7-Zip outside of approved channels may have enrolled their workstation into a covert proxy network, exposing corporate traffic to interception or enabling attacker-controlled tunneling through your network perimeter. The attack requires no software vulnerability, only a user search and a manual download, making shadow IT and unmanaged endpoints the primary exposure surface.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
MEDIUM
Medium severity — monitor and assess
TTP Sophistication
HIGH
9 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
7-Zip (trojanized installer targeting Windows users; legitimate 7-Zip versions unaffected)
Are You Exposed?
⚠
You use products/services from 7-Zip (trojanized installer targeting Windows users; legitimate 7-Zip versions unaffected) → Assess exposure
⚠
9 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A threat actor created a fake website impersonating the official 7-Zip project to distribute a trojanized installer that silently deploys proxyware on Windows machines. Any employee who downloaded 7-Zip outside of approved channels may have enrolled their workstation into a covert proxy network, exposing corporate traffic to interception or enabling attacker-controlled tunneling through your network perimeter. The attack requires no software vulnerability, only a user search and a manual download, making shadow IT and unmanaged endpoints the primary exposure surface.
Technical Analysis
Attack vector: typosquatting domain mimicking the legitimate 7-Zip distribution site (7-zip.org).
The malicious installer bundles the expected 7-Zip application alongside proxyware, silencing user suspicion.
No CVE is associated, the attack chain exploits social engineering and brand impersonation, not a vulnerability in 7-Zip itself.
Relevant CWEs: CWE-1021 (Improper Restriction of Rendered UI Layers, brand impersonation via spoofed site), CWE-494 (Download of Code Without Integrity Check, no signature validation on the installer), CWE-345 (Insufficient Verification of Data Authenticity). MITRE ATT&CK coverage: T1583.001 (Acquire Infrastructure: Domains), T1608.001 (Stage Capabilities: Upload Malware), T1566.002 (Phishing: Spearphishing Link), T1204.002 (User Execution: Malicious File), T1036.005 (Masquerading: Match Legitimate Name or Location), T1090 / T1090.002 (Proxy / External Proxy), T1071.001 (Application Layer Protocol: Web Protocols), T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain, social-engineering variant). Payload behavior is consistent with residential proxy enrollment or covert network tunneling; immediate credential theft or data exfiltration has not been confirmed in available source material. Legitimate 7-Zip versions obtained from the official 7-zip.org site are unaffected. Source quality: T3 sources only (Malwarebytes Threat Intel, BleepingComputer); no primary vendor advisory available at time of writing.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate to C-level management and external DFIR firm if: (1) more than 5% of endpoints are confirmed infected, (2) evidence of lateral movement or persistent backdoor installation is found, (3) exfiltrated sensitive data is confirmed through network forensics, or (4) the organization cannot isolate and remediate affected systems within 72 hours.
1
Step 1, Immediate: Identify any 7-Zip installers downloaded from sources other than 7-zip.org or your approved software repository; quarantine and do not execute.
IR Detail
Preparation
NIST 800-61r3 §2.1 (Preparation phase: tools and resources)
NIST 800-53 SI-7 (Software, Firmware, and Information Integrity)
CIS 2.1 (Address Unauthorized Software)
Compensating Control
Search Windows file system using PowerShell: Get-ChildItem -Path C:\Users -Recurse -Filter *7zip* -ErrorAction SilentlyContinue | Select-Object FullName,CreationTime. Export results to CSV. Cross-reference download locations against browser history in AppData\Local\Google\Chrome\User Data\Default\History (SQLite) or Edge equivalent. For offline inspection, use autopsy or FTK to recover deleted installer artifacts from $Recycle.Bin and unallocated space.
Preserve Evidence
Before quarantining: (1) Capture file hash (SHA-256) of all discovered installers using Get-FileHash; (2) preserve browser download history and cache ($LOCALAPPDATA\Google\Chrome\User Data\Default\History, $LOCALAPPDATA\Microsoft\Edge\User Data\Default\History); (3) snapshot file system metadata (creation, modification, access times) and owner from Properties or fsutil fsinfo volumeinfo; (4) preserve MFT ($MFT) and $LogFile from NTFS for deleted installer recovery.
2
Step 2, Detection: Search endpoint logs and EDR telemetry for proxyware process execution, unexpected outbound connections on proxy-associated ports (e.g., SOCKS5, HTTP CONNECT), and installer file hashes not matching official 7-Zip releases, cross-reference against Malwarebytes threat intel report for specific indicators.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 (Detection and Analysis phase: determining if an incident occurred)
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 CA-7 (Continuous Monitoring)
CIS 8.2 (Configure Data Protection)
Compensating Control
Query Windows Event Log 4688 (Process Creation) for parent-child process chains using wevtutil qe Security /q:*[System[(EventID=4688)]] /f:text. Search for outbound port 1080 (SOCKS5) or port 8080 (HTTP proxy) in netstat -ano and established connections via Get-NetTCPConnection -State Established. Use Wireshark to capture and filter network traffic (tcp.dstport==1080 or tcp.dstport==8080) on suspect endpoints. Cross-validate file hashes against public 7-Zip release hashes (available at 7-zip.org/download.html) using certutil -hashfile <path> SHA256.
Preserve Evidence
Preserve: (1) Windows Event Log 4688 and 4689 (process termination) for 72 hours prior to detection; (2) netstat output and Get-NetTCPConnection snapshots at detection time and hourly thereafter; (3) raw network traffic capture (.pcapng) for all suspect endpoints, filtered to include DNS queries, TCP handshakes, and data exfiltration; (4) Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence mechanisms; (5) Process memory dumps (procdump -ma <PID>) of suspected proxy processes before termination.
3
Step 3, Assessment: Inventory all Windows endpoints for installed 7-Zip instances; flag any installed outside of centralized patch management or software deployment tools; prioritize unmanaged and shadow IT endpoints.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.2 (Scope determination and prioritization)
NIST 800-53 CM-8 (Information System Component Inventory)
CIS 1.1 (Inventory and Control of Enterprise Assets)
Compensating Control
Query WMI to enumerate 7-Zip installations: wmic product list brief | findstr /i 7zip. Export to CSV with endpoint hostname and install date. Cross-reference against centralized deployment logs (WSUS, SCCM logs in C:\Program Files\Microsoft Configuration Manager\Logs or WSUS AdminUI database). For unmanaged endpoints, manually execute remote PowerShell: Invoke-Command -ComputerName <hostname> -ScriptBlock {Get-ItemProperty HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*7-Zip*"}. Maintain spreadsheet ranking by: (1) installed via unofficial channel, (2) installation date post-campaign start, (3) absence from SCCM/WSUS logs, (4) shadow IT/unmanaged status.
Preserve Evidence
Preserve: (1) snapshots of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall (Registry key export); (2) C:\Program Files\7-Zip\7z.exe file metadata (hash, timestamps, digital signature verification); (3) WMI product inventory output with date/time stamp; (4) WSUS/SCCM deployment logs (C:\Program Files\Microsoft Configuration Manager\Logs or SQL database backup if available); (5) BITS Job history (Get-BitsTransfer -AllUsers) to identify unofficial download sources.
4
Step 4, Communication: Notify IT helpdesk and end-user population to avoid manual software downloads and report any recent 7-Zip installations; brief SOC on detection signatures and escalation path for confirmed proxy activity.
IR Detail
Containment
NIST 800-61r3 §3.3 (Containment phase: stakeholder coordination)
NIST 800-53 IR-4 (Incident Handling)
CIS 17.1 (Incident Response Program)
Compensating Control
Draft and distribute: (1) user alert via email with installation check procedure (native Windows: Control Panel > Programs and Features > search '7-Zip'); (2) helpdesk ticket template with 5 required fields (endpoint hostname, 7-Zip version, installation date, download source, user who installed); (3) SOC detection runbook with Yara rule for trojanized 7-Zip hashes and SIEM alert query for ports 1080/8080. Brief SOC verbally with this escalation path: suspicious process/network activity → run verification scripts (hash and port scan) → if confirmed malicious → isolate endpoint from network → escalate to CIRT lead.
Preserve Evidence
Preserve: (1) timestamp and distribution log of user alert (delivery records); (2) SOC alert telemetry for 30 days pre-communication to detect early signals missed during initial detection sweep; (3) helpdesk ticket submission logs to track user-reported 7-Zip installations; (4) communications team log documenting awareness campaign reach and response rate.
5
Step 5, Long-term: Enforce application allowlisting or software installation controls to block unapproved installer execution; add DNS/web proxy blocking for known typosquatting domains; review and update acceptable use and software procurement policy to require centralized distribution for all utilities.
IR Detail
Recovery
NIST 800-61r3 §3.4 (Post-Incident Activities phase: lessons learned and control updates)
NIST 800-53 CM-11 (User-Installed Software)
NIST 800-53 AC-3 (Access Enforcement)
CIS 2.1 (Address Unauthorized Software)
CIS 13.5 (Restrict and Remediate Unauthorized Network Services)
Compensating Control
Deploy group policy application allowlist via gpedit.msc (User Configuration > Administrative Templates > System > Don't Run Specified Windows Applications) or AppLocker (Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker). Create allowlist rule: allow only signed executables from C:\Program Files\7-Zip\ with publisher CN=Igor Pavlov. Block all other 7z.exe variants. For DNS filtering without enterprise appliances: configure Windows Hosts file (C:\Windows\System32\drivers\etc\hosts) with known typosquatting domains (obtain from Malwarebytes, PhishTank) mapped to 127.0.0.1. Document policy in Employee Handbook with escalation path for exceptions (requires CISO sign-off + business justification). Train procurement on centralized vendor approval process.
Preserve Evidence
Preserve: (1) baseline AppLocker policy export (XML) before implementation; (2) DNS/web proxy deny list with IOC source and capture date; (3) policy document version control (approved date, reviewer sign-off); (4) training attendance logs and competency assessments.
Recovery Guidance
Post-containment: (1) Rebuild or restore affected endpoints from clean backup images dated before the campaign start (validate backup integrity with hash verification). (2) Re-deploy 7-Zip from your centralized repository using SCCM/WSUS with signature verification enabled. (3) Conduct 30-day post-recovery monitoring of re-infected endpoints (check for port 1080/8080 outbound activity, unsigned 7z.exe execution, and anomalous process creation). Document all findings in post-incident report per NIST 800-61r3 §3.4.3.
Key Forensic Artifacts
Windows Event Log 4688 (Process Creation) and 4689 (Process Termination) — captures trojanized installer and proxy process execution
Browser Download History ($LOCALAPPDATA\Google\Chrome\User Data\Default\History, $LOCALAPPDATA\Microsoft\Edge\User Data\Default\History) — establishes source of malicious installer (typosquatting domain vs. legitimate 7-zip.org)
NTFS MFT ($MFT) and $LogFile — recovers deleted installer artifacts and file activity timeline
Network Traffic Capture (.pcapng) on proxy-associated ports (1080 SOCKS5, 8080 HTTP) — demonstrates covert proxy tunnel establishment and potential data exfiltration
Windows Registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) — identifies persistence mechanisms and auto-start execution
Detection Guidance
Behavioral indicators: unexpected outbound proxy connections (SOCKS4/5, port 1080; HTTP CONNECT tunneling) from endpoints shortly after a 7-Zip install event; proxyware process names or services not consistent with approved software inventory; installer execution from user download directories (e.g., %USERPROFILE%\Downloads) rather than a managed deployment path.
Log sources to query: EDR process creation logs (parent-child relationship of installer spawning a secondary process), Windows Event Log (Event ID 4688 for process creation, Event ID 7045 for new service installation), DNS query logs for typosquatting domains resembling '7-zip.org' (e.g., 7zip[.]org variants, 7-zip[.]com, 7ziip[.]org), proxy/firewall logs for sustained low-volume outbound connections to residential proxy infrastructure.
File integrity check: compare SHA-256 hash of any installed 7-Zip binary against official hashes published at 7-zip.org.
Specific IOC values (domain names, hashes, IPs) were not independently verified in available source material at this time, consult primary threat intelligence sources directly for confirmed indicators before deploying as detection rules.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
1 domain
1 url
Type Value Enrichment Context Conf.
⌘ DOMAIN
typosquatting domain mimicking 7-zip.org — specific domain not independently verified in available source material
VT
US
Fake distribution site serving trojanized 7-Zip installer bundled with proxyware. Consult Malwarebytes report for confirmed domain value before blocking.
LOW
🔗 URL
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
VT
US
Primary source report containing confirmed IOCs including domain names and file hashes — retrieve directly for operationalization.
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Typosquatting Campaign Weaponizes 7-Zip Brand to Deploy Proxy Malware on Enterpr
let malicious_urls = dynamic(["https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "typosquatting domain mimicking 7-zip.org \u2014 specific domain not independently verified in available source material",
"source": "SCC Threat Intel",
"description": "Fake distribution site serving trojanized 7-Zip installer bundled with proxyware. Consult Malwarebytes report for confirmed domain value before blocking.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-01T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1071.001
T1608.001
T1204.002
T1036.005
T1195.002
T1583.001
+3
CM-7
SA-9
SR-3
SI-7
AT-2
SC-7
+4
164.312(d)
164.308(a)(6)(ii)
MITRE ATT&CK Mapping
T1608.001
Upload Malware
resource-development
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1195.002
Compromise Software Supply Chain
initial-access
T1090
Proxy
command-and-control
Guidance Disclaimer
