Winzipper

Winzipper is a Chinese-language malware family described as masquerading as a harmless file archive utility while functioning as a backdoor trojan. In the reported campaign, it was distributed through fake WinRAR download sites and trojanized WinRAR installers, primarily targeting users in China who downloaded the software from unofficial sources. The delivery chain used a multi-stage, heavily obfuscated package, including a ZIP archive named winrar-x64-713scp.zip, a UPX-packed executable with deliberate PE anomalies, SFX auto-run behavior, and a password-protected malicious archive named setup.hta that unpacked directly into memory at runtime to evade detection. One embedded executable appeared to be a legitimate WinRAR installer to reduce suspicion, while analysis also identified the filename nimasila360.exe, which was associated with fake installers and the Winzipper family. Once installed, Winzipper provides attackers with remote access to compromised systems, enables unauthorized system control, data theft, and installation of secondary malware payloads. The malware was also observed accessing Windows Profiles information early in execution, and the analysis suggests it profiles the host to select a best-fit payload. Reported malicious infrastructure and related indicators include the domains winrar-tw.com, winrar-x64.com, and winrar-zip.com, as well as filenames winrar-x64-713scp.zip, youhua163安装.exe, and setup.hta dropped under C:\Users{username}\AppData\Local\Temp. Malwarebytes reported and analyzed the campaign and blocked the identified hosting domains.