FOSDEM 2026Β The creators of security software have encountered an unlikely foe in their attempts to protect us: modern compilers.β¦
This is amazing:
Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving. Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale. But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of the box without task-specific tooling, custom scaffolding, or specialized prompting. Even more interesting is how it found them. Fuzzers work by throwing massive amounts of random inputs at code to see what breaks. Opus 4.6 reads and reasons about code the way a human researcher wouldΒβlooking at past fixes to find similar bugs that werenβt addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it. When we pointed Opus 4.6 at some of the most well-tested codebases (projects that have had fuzzers running against them for years, accumulating millions of hours of CPU time), Opus 4.6 found high-severity vulnerabilities, some that had gone undetected for decades.
The details of how Claude Opus 4.6 found these zero-days is the interesting partβread the whole blog post.
News article.
SmarterTools says customers were impacted after hackers compromised a data center used for quality control testing.
The post SmarterTools Hit by Ransomware via Vulnerability in Its Own Product appeared first on SecurityWeek.
European techies looking for the biggest payday are far better off in Switzerland than anywhere else, with average salaries eclipsing all other countries on the continent.β¦
A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victimsβ machines into residential proxy nodesβand it has been hiding in plain sight for some time.
A PC builder recently turned to Redditβs r/pcmasterrace community in a panic after realizing they had downloaded 7βZip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7βZip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.
In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32βbit versus 64βbit errors and ultimately abandoned the installer in favor of Windowsβ builtβin extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.
The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.
This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7βZip File Manager alongside a concealed malware payload.
The installer is Authenticodeβsigned using a nowβrevoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:
All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.
An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.
One of the more concerning aspects of this campaign is its reliance on thirdβparty trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.
This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.
Behavioral analysis shows a rapid and methodical infection chain:
1. File deploymentβThe payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.
2. Persistence via Windows servicesβBoth Uphero.exe and hero.exe are registered as autoβstart Windows services running under System privileges, ensuring execution on every boot.
3. Firewall rule manipulationβThe malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.
4. Host profilingβUsing WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.
While initial indicators suggested backdoorβstyle capabilities, further analysis revealed that the malwareβs primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victimβs IP address.
The hero.exe component retrieves configuration data from rotating βsmsheroββthemed commandβandβcontrol domains, then establishes outbound proxy connections on nonβstandard ports such as 1000 and 1002. Traffic analysis shows a lightweight XORβencoded protocol (key 0x70) used to obscure control messages.
This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.
The 7βZip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:
LoginnetshEmbedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.
Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLSβencrypted HTTPS sessions.
The malware also uses DNS-over-HTTPS via Googleβs resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.
The malware incorporates multiple layers of sandbox and analysis evasion:
Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.
Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEMβlevel persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In highβrisk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.
Users and defenders should:
This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.
Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.
Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.
This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptionsβturning everyday utility downloads into longβlived monetization infrastructure.
Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.
C:\Windows\SysWOW64\hero\Uphero.exeC:\Windows\SysWOW64\hero\hero.exeC:\Windows\SysWOW64\hero\hero.dlle7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 (Uphero.exe)b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 (hero.exe)3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 (hero.dll)Domains:
soc.hero-sms[.]coneo.herosms[.]coflux.smshero[.]conova.smshero[.]aiapex.herosms[.]aispark.herosms[.]iozest.hero-sms[.]aiprime.herosms[.]vipvivid.smshero[.]vipmint.smshero[.]compulse.herosms[.]ccglide.smshero[.]ccsvc.ha-teams.office[.]comiplogger[.]orgObserved IPs (Cloudflare-fronted):
104.21.57.71172.67.160.241C:\Windows\SysWOW64\hero\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
Brussels is digging into a cyber break-in that targeted the European Commission's mobile device management systems, potentially giving intruders a peek inside the official phones carried by EU staff.β¦
The KEV list is useful but largely misunderstood. KEVology explains what it is, and how best to use it.
The post New Paper and Tool Help Security Teams Move Beyond Blind Reliance on CISAβs KEV Catalog appeared first on SecurityWeek.
The signs of a cyberattack were identified on systems EU's main executive body uses for mobile device management.
The post European Commission Investigating Cyberattack appeared first on SecurityWeek.
Last week on Malwarebytes Labs:
Stay safe!
Asia In BriefΒ The Commissioner of Police in the Indian city of Hyderabad, population 11 million, has called for AI agents to be issued with identity cards β or at least their digital equivalent.β¦
Edge devices that are no longer supported have been targeted in attacks by state-sponsored hackers, the US says.
The post Organizations Urged to Replace Discontinued Edge Devices appeared first on SecurityWeek.
A growing body of research continues to show that older workers are generally more productive than younger employees.β¦
As breach costs go up and attackers focus on common web features like dashboards, admin panels, customer portals, and APIs, weak access control quickly leads to lost data, broken trust, and costly incidents. The worst part is that many failures are not rare technical flaws but simple mistakes, such as missing permission checks, roles with too much power, or predictable IDs in URLs.
This post aims to help you control who can access different parts of your website and explain why it matters.Β
Continue reading Beyond Login Screens: Why Access Control Matters at Sucuri Blog.
This is a video of advice for squid fishing in Puget Sound.
As usual, you can also use this squid post to talk about the security stories in the news that I havenβt covered.
