What happened
Fake WinRAR website campaigns are delivering malware by hosting trojanized WinRAR installers on deceptive domains. Attackers set up lookalike download sites that bundle legitimate WinRAR installers with malicious payloads – including the Winzipper malware – to compromise systems when users install what they believe is genuine compression software. Security analysts at Malwarebytes identified these fake sites resolving to malicious installers that execute obfuscated setup components directly in memory to evade detection. Once deployed, the malware can provide remote access to attackers, enabling data theft, unauthorized control, and additional malware installation. These campaigns exploit the trusted reputation of common utility software and user habits of downloading tools from third-party sites.Â
Who is affected
Users and organizations downloading WinRAR installers from unofficial or lookalike websites are directly exposed to remote compromise and broader malware risks from trojanized installers.
Why CISOs should care
This threat underscores the importance of software supply chain integrity and the risks of deceptive download sources, with potential impacts on endpoint security, data confidentiality, and lateral movement opportunities.
3 practical actions
- Enforce official download sources: Mandate the use of official vendor download sites for all software.
- Strengthen endpoint defenses: Deploy anti-malware controls capable of detecting memory-resident malicious installers.
- Educate on supply chain risks: Train users to recognize deceptive websites and verify software authenticity.