DOCOMO BUSINESS, Inc. All Rights Reserved. Ghost in the 7 - Zip Ryo Minakawa The Shadow of Residential Proxies Creeping into Your Life BSides Tokyo 2026
CLEAR $ Whoami BSides Tokyo 2026 Ryo Minakawa strinsert1Na Senior Manager and CTI analyst @NTT DOCOMO BUSINESS, Inc. I’ve been living in the “ Pokémon Pokopia ” world lately. NTT Com -SIRT
CLEAR Attention BSides Tokyo 2026 Please use the content within the scope of the TLP !! TLP: CLEAR TLP: AMBER+STRICT Approved for internet discussion Limited disclosure
CLEAR Are you familiar with this incident? BSides Tokyo 2026 Fake 7 -Zip downloads are turning home PCs into proxy nodes, https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip- downloads-are-turning-home-pcs-into-proxy-nodes 『非公式7-Zip Web サイトにて公開されているインストーラによる不審なファイルの展開』, https://wizsafe.iij.ad.jp/2026/01/2075/
CLEAR Presentation Overview BSides Tokyo 2026 • Overview • Investigation results of the Fake 7 -Zip campaign • The campaign was not isolated; similar campaigns are still active today • These campaigns appear to be part of a broader residential proxy ecosystem • Key Takeaways • Pivot -based analysis revealed multiple related campaigns with shared infrastructure and signatures. • Provide insights into the attackers and the residential proxy ecosystem behind the campaigns
CLEAR Deeper Analysis - Landing Website (7zip[.]com) - BSides Tokyo 2026 2001 2025.05.26 2025 2026 2026.02.14 Shut down Redesign 2026.01.11 Fake installer distribution • 7zip[.]com appeared to be a community -run mirror of 7 -zip.org (Official Website ) • It had been continuously operated since 2001 • The reason for its sudden malicious behavior remains unclear • Possibilities include unauthorized access, domain takeover, or a change in ownership • As international media coverage increased, the site was quietly shut down on Feb 14, 2026 ……
CLEAR Deeper Analysis - Landing Website (7zip[.]com) - BSides Tokyo 2026 ~ 2026/1/11 18:48(UTC) 2026/1/11 21:22(UTC) ~ Around 19:00 on Jan 11, 2026, the API response previously pointing to 7 -zip.org was modified to download the installer from the malicious 7zip[.]cloud domain continued until the shutdown on Feb 14. ※ According to the Internet Archive records Ref. Internet Archive, https://web.archive.org/web/20260123064211/https://www.7zip.com/api_v1
CLEAR Deeper Analysis - Installer (Process tree) - BSides Tokyo 2026 • 7zInstaller.exe installs the legitimate 7-Zip application while executing 7zFM.exe, a proxy tool dropper • 7zFM.exe drops three files, including Uphero.exe , and then executes Uphero.exe via Windows service • Uphero.exe updates via C2 communication, configures firewall settings, and generates a victim -specific mask (MD5 -based system identifier) • It then executes hero.exe via a Windows service with the mask as an argument ( -m option) 7zInstaller.exe Fake 7 -zip Installer 7zFM.exe Proxy tools dropper and kick Uphero.exe via Service Uphero.exe Change Firewall settings, send heartbeat request, load configs from C2 and k ick hero.exe via Service hero.exe Connect proxy tunnel $ C:\Windows\SysWOW64\hero¥hero.exe –s hero –m [md5hash calculated by env.] $ C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall add rule name="hero" dir=out action=allow program="C:\Windows\SysWOW64\hero\hero.exe"
CLEAR Deeper Analysis - Dropper (7zFM.exe) - BSides Tokyo 2026 A simple dropper that stores all PE files in its resources without encryption or obfuscation
CLEAR POST /client_v2/report/report-log Deeper Analysis - Updater ( Uphero.exe ) - BSides Tokyo 2026 {version=514E504E…} HTTP/1/1 200 OK {"code":200,"msg":"SUCCESS","data":null} POST /client_v2/report/win-log {version=514E504E…} POST /client_v1/config POST /client_v2/version/server {version=514E504E…} {"code":200,"msg":"SUCCESS","data":null} {mask=1234567890abcd…} {"code":200,"msg":"SUCCESS","data":……} {"code":200,"msg":"SUCCESS","data":……} Phase1: Send system information and heartbeat • All data is transmitted XOR - encoded with the single -byte key 0x60 • The server does not return any meaningful responses. HTTP/1/1 200 OK HTTP/1/1 200 OK HTTP/1/1 200 OK Phase2: Fetch configuration required for proxy communication • For some reason, only this API uses a different version, and the data is transmitted in plaintext Phase3: Retrieves campaign update information from the C2 server • The latest proxy tool deployed
CLEAR POST /client_v2/report/report-log Deeper Analysis - Updater ( Uphero.exe ) Phase 2 - BSides Tokyo 2026 {version=514E504E…} HTTP/1/1 200 OK {"code":200,"msg":"SUCCESS","data":null} POST /client_v2/report/win-log {version=514E504E…} POST /client_v1/config POST /client_v2/version/server {version=514E504E…} {"code":200,"msg":"SUCCESS","data":null} {mask=1234567890abcd…} {"code":200,"msg":"SUCCESS","data":……} {"code":200,"msg":"SUCCESS","data":……} HTTP/1/1 200 OK HTTP/1/1 200 OK HTTP/1/1 200 OK { "code": 200, "msg": "SUCCESS", "data": { "china_ip_list": { "md5":(snip.)", ”url”(snip.)}, "china_domain_list": { "md5”(snip.) , "url”: (snip.)}, (snip.) }, (snip.) "http": { "server_addr": "89.187.169.66:1000", "limit": 0, "user_id": 19661396, (snip.) "sleep_time": 10, "key": 112, "keep_time": 25 }, (snip.) } mask=c19be9f13d0cbfc1e0618065c4a55b97&platfor m=4&version=1.2.1.0_8_hero • Fetch configuration required for the proxy tool ( hero.exe ) • The server response includes the proxy server IP address and port, as well as a single-byte XOR key used for communication encryption. • All data is transmitted in plaintext • possibly because the implementation was incomplete
CLEAR Deeper Analysis - Proxy tool ( hero.exe ) - BSides Tokyo 2026 Ref. Beware of Fake 7zip Installer: upStage Proxy , https://blog.lukeacha.com/2026/01/beware-of-fake-7zip-installer-upstage.html Establishes a TCP connection to the target using configuration provided by the C2 server. Communication is XOR -encoded with a single byte key, and the tool relays traffic as a proxy.
CLEAR Deeper Analysis - Proxy tunnel endpoint - BSides Tokyo 2026 https://platform.censys.io/search?q=host.autonomous_system.asn+%3D+%2260068%22+and+host.services.por t%3A+%7B999%2C+1300%2C+1301%7D&org=4dee09ba -f67f -460f -b1c9 -3a34a9b69c2b The proxy endpoints distributed by the C2 change frequently. Around 60 endpoints were identified through Censys .
CLEAR C2 server response (from uclscan.io ) BSides Tokyo 2026 Accessing the default page displays a message advertising the technical support service. Ref. URLScan , https://urlscan.io/result/019bc548-7f63-70e5-8a71-35a7ec7b14e4/
CLEAR What is Wire VPN?? BSides Tokyo 2026 https://wirevpn.app Advertised as free VPN to use. VPN applications are available not only for Windows, but also on Google Play and the App Store.
CLEAR Patchwork implementation BSides Tokyo 2026 When starting a new campaign, they add new functionality on top of existing code using conditional branching . As a result, traces and hints from past operations remain in the codebase. Uphero.exe
CLEAR What is “ iShark VPN” BSides Tokyo 2026 A free VPN available on multiple platforms, similar to Wire VPN, with an unknown operator. https://www.ishark.com
CLEAR Investigation of PDB path BSides Tokyo 2026 7zipInstall.exe upTiktok.exe This actor operates from the path ”D:\youqu_job ”. I also identified a “Snaptik” (related upTiktok.exe ) application using a nearly identical PDB path.”
CLEAR Investigation of PE Signatures BSides Tokyo 2026 upTiktok.exe 911proxy.exe The code -signing certificate embedded in the PE file is reused by a proxy tool, 911proxy.exe
CLEAR What is 911Proxy? BSides Tokyo 2026 https://www.911proxy.com Based on the website, 911Proxy service seems to mainly offer residential proxy The company name matches the PE signing certificate.
CLEAR Limitation BSides Tokyo 2026 • As an ISP operator, we would like to take action against infected users, but currently have limited options • Unlike IoT botnets, compromised endpoints are not exposed at the Internet boundary . • One possible option is to use this service to identify compromised devices, however… • Giving attackers financial incentives is not a desirable approach • Generalizing countermeasures is difficult • In this case, avoiding suspicious applications is the main mitigation • However, residential proxies could also be deployed through today’s supply chain attacks
CLEAR Summary BSides Tokyo 2026 • Deep dive into the Fake 7 -Zip campaign observed in Japan • This is only the tip of the iceberg of a much larger residential proxy • The VPN services introduced today are still available on app stores and remain part of an ongoing campaigns . • There is no silver bullet for mitigation • As practical measures, frequently used applications should be deployed by IT departments rather than individual users, and development environments should be isolated when possible I am looking for collaborators with new ideas for combating residential proxy incidents!!
CLEAR Appendix: IoC (C2 Servers) BSides Tokyo 2026 Domain Details api.7zip[.]cloud C2 domain of the Fake 7 -Zip campaign update.7zip[.]cloud Fake 7 -Zip installer distribution domain spark.herosms [.]io C2 domain of the Fake 7 -Zip campaign soc.hero -sms [.]co C2 domain of the Fake 7 -Zip campaign neo.herosms [.]co C2 domain of the Fake 7 -Zip campaign flux.smshero [.]co C2 domain of the Fake 7 -Zip campaign nova.smshero [.]ai C2 domain of the Fake 7 -Zip campaign zest.hero -sms [.]ai C2 domain of the Fake 7 -Zip campaign apex.herosms [.]ai C2 domain of the Fake 7 -Zip campaign mint.smshero [.]com C2 domain of the Fake 7 -Zip campaign vivid.smshero [.]vip C2 domain of the Fake 7 -Zip campaign Domain Details prime.herosms [.]vip C2 domain of the Fake 7 -Zip campaign glide.smshero [.]cc C2 domain of the Fake 7 -Zip campaign pulse.herosms [.]cc C2 domain of the Fake 7 -Zip campaign api.wirevpn [.]app C2 domain of the Wire VPN campaign apiv3.wirevpn[.]app C2 domain of the Wire VPN campaign update.wirevpn [.]app C2 domain of the Wire VPN campaign api.isharkvpn [.]com C2 domain of the ishark VPN campaign update.isharkvpn [.]com C2 domain of the ishark VPN campaign api.snaptik [.]io C2 domain of the Snaptik campaign update.snaptik [.]io C2 domain of the Snaptik campaign run.rocketapp [.]cc C2 domain of the related RocetApp campaign
nttcom
kogo
trafficbrain
flekschas
hysmrk
yuukit
kikuzo
chck
morishtr
.jpg){kind=avatar}
iflection
.png){kind=avatar}
satai
rudorudo11
icttitech
samlambert
chriscoyier
michaelherold
davidcarrasco
addyosmani
portentint
tmiket
reverentgeek
mayatellez
soysaucechin
holman
