Unofficial 7-zip.com website served up malware-laden downloads for over a week — infected PCs forced into a proxy botnet
Source: Tom’s Hardware
Image credit: Getty Images
When setting up a new PC, installing a utility like 7‑zip, PeaZip, or WinRAR is something we tend to do almost without thinking. But it’s easy to fall into the trap of downloading malicious executables from unofficial sources, which is what happened for about 10 days with the 7‑zip.com website.
Official vs. unofficial site
The official website for the 7‑Zip project is 7‑zip.org. As with many free projects, copycat sites appear to capture search traffic and earn ad revenue. This seemed to be the case for 7‑zip.com, until the period of Jan 12 – 22 when the download links started redirecting users to a malware‑laden executable:
How the redirection worked
The redirection was crafted to evade basic automated scanners:
- Visiting 7‑zip.com initially displayed the normal links to the official executables on 7‑zip.org.
- After about 20–30 seconds, a script triggered and swapped the links to the infected files.
This timing allowed scanners that fetched the page immediately to see only clean links, preventing the site from being flagged as malicious.
Malware behavior
The downloaded trojan does not perform many actions on its own; its primary function is to install a proxy server, turning the victim’s PC into a node of a remote‑controlled botnet. Criminals can then route traffic through these compromised machines to hide their origins.
- Detailed write‑up by Malwarebytes: Fake 7‑Zip downloads are turning home PCs into proxy nodes
- Technical deep dive by security researcher Luke Acha: Beware of fake 7zip installer upstage
Discovery and reporting
- The issue was first spotted by users on a SourceForge forum thread: Discussion on SourceForge
- The first technical outfit to report it appears to be the Japanese consortium IISJ‑SECT: IISJ‑SECT about page
- Wider awareness spread via a Reddit post where a user described following a YouTube tutorial that unintentionally led to the malicious site.
Lessons and recommendations
- Always download software from the official source and verify the URL.
- Verify file hashes after downloading. Useful tools include:
- HashTools for Windows
sha256sum, GtkHash, or QuickHash for Linux.
