7zip.com Is Serving Malware

The buried lede here is the business model. This isn't ransomware or data theft. The malware turns your PC into a residential proxy node and sells your IP address to third parties for fraud, scraping, and ad abuse. That's why it's designed to be invisible and why it persisted for so long. Traditional malware wants to disrupt or extract. Proxyware wants to coexist quietly.

Your machine runs a little slower, your bandwidth gets a little thinner, and someone halfway around the world is routing traffic through your home IP. It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.

This has been a long-standing problem with 7-Zip.

An article from 2018:

https://www.bleepingcomputer.com/news/security/fake-websites...

And uBlock Origin's "Badware" filter blocks it:

https://github.com/uBlockOrigin/uAssets/blob/master/filters/...

7zip.com has never been the official website of the project. It's been 7-zip.org

I tested with the 3 major browsers and all 3 block it as "Suspected Phishing". So looks like the system is working as designed.

Lookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.

The links to the file downloads on 7zip.com all point to 7-zip.org. Example: https://www.7-zip.org/a/7z2501-x64.exe

Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?

The .com site serving malware aside, it's how people even get to downloading this. PC builder [...], USB stick [...], YouTube tutorial for a new build [...] instructed to download. Makes me wonder, is this how "PC builders" build PCs, or was this a regular user person. Archive managers are such basic software that I'd think surely someone would keep a stash of (trusted) installer files for the basic tools to be installed in a new environment. At least that's what we used to do, like, 25 years ago. Or use choco, winget or whatever. Malware hygiene habits remain almost unchanged - don't click that link.

I've started using winget to install my apps for exactly this reason. I can't keep track of every url for every piece of software.

Does the 7-Zip author still refuse to digitally sign or even provide hashes of the official downloads? It's an extremely weird flex, he thinks it's a frivolous waste of time or something.

It doesnt help that many services use a few domain names, bonus points if other ones look like from scam domain examples

i'm increasingly convinced nothing good ever comes from youtube tutorials

I would not trust any sw from Russia. Could be a vector for the FSB. I'm sure they have thought about it.

I compared https://7-zip.org/a/7z2600-x64.exe with https://7-zip.com/a/7z2600-x64.exe. They are byte-for-byte identical. If there's malware, it isn't obvious.