Blog Post

The Human Connection Blog
2 MIN READ

New CTI Lab: 7-Zip Installer (Proxy Node Campaign): Analysis

benhopkins's avatar
benhopkins
Icon for Immerser rankImmerser
2 hours ago

Today, Immersive's Container 7 Research Team have released a lab covering trust abuse to proliferate a malicous 7-Zip installer containing Go compiled malware

In February 2026, security researchers across different organizations exposed a long-running malware distribution campaign targeting users of the popular 7-Zip archiving utility. Operating for an extended period, threat actors behind the operation registered the convincing lookalike domain 7zip[.]com , closely mimicking the legitimate 7-zip.org to distribute trojanized installers that silently convert victims' machines into residential proxy nodes.

What is this about?Brand impersonation attacks represent a critical threat vector where attackers exploit user trust rather than software vulnerabilities. In this campaign, operators created a sophisticated intrusion using a fake 7zip[.]com domain that mirrors the structure and content of the official site, the malicious installer carries a now-revoked code-signing certificate from "JOZEAL NETWORK TECHNOLOGY CO., LIMITED," and victims receive a fully functional copy of 7-Zip that deploys malicious payloads onto the victim machine. These malicious Golang binaries establish persistence, manipulate firewall rules, and transform victim machines into nodes for a residential botnet.

Why is this critical for you and your team?As security teams increasingly focus on advanced persistent threats and zero-day exploitation, this campaign demonstrates how attackers achieve persistent access through social engineering and trust exploitation. Users downloading software from what appears to be a legitimate source, particularly when following online tutorials or search engine results, and bypassing traditional security awareness training. The malware's use of code-signed binaries, legitimate system directories, and SYSTEM-level service persistence means it evades many endpoint security controls designed to catch obvious malware.

Understanding this infection chain and learning to threat hunt for these artefacts is essential for detecting similar tactics in your environment.

Who is the content for?

  • Security Analysts
  • Threat Researchers
  • Threat Hunters

Here is a link to the lab:

Published 2 hours ago
Version 1.0
cyber threat intelligence
news & announcements
benhopkins's avatar
Icon for Immerser rankImmerser
Ben Hopkins currently works as a Cyber Threat Intelligence Researcher at Immersive Before working at Immersive, Ben spent 6 years as a Police Officer. He started on response, responding to 999 calls for service, such as thefts and burglaries in progress, assaults, road traffic incidents, and domestics. He then spent time working in intelligence-led policing, tackling organised criminality, modern slavery, and county lines. Ben regularly researches and investigates cybercriminals and the tooling they use. He shares this information with the cyber community through malware reports, blogs, and talks to internal stakeholders, external events, and the Human Connection Community.
View Profile
The Human Connection Blog
Learn from our experts
No CommentsBe the first to comment