{“lastseen”:”2026-01-08T12:05:07″,”description”:”A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that\u2019s usually a good indicator of a new campaign.\\n\\nSo, I downloaded the file and started an analysis, which turned out to be something of a Matryoshka doll. Layer after layer, after layer.\\n\\nWinRAR is a popular utility that’s often downloaded from \\”unofficial\\” sites, which gives campaigns offering fake downloads a bigger chance of being effective.\\n\\nOften, these payloads contain self-extracting or multi-stage components that can download further malware, establish persistence, exfiltrate data, or open backdoors, all depending on an initial system analysis. So it was no surprise that one of the first actions this malware took was to access sensitive Windows data in the form of Windows Profiles information.\\n\\nThis, along with other findings from our analysis (see below), indicates that the file selects the \u201cbest-fit\u201d malware for the affected system before further compromising or infecting it.\\n\\n## How to stay safe\\n\\nMistakes are easily made when you\u2019re looking for software to solve a problem, especially when you want that solution fast. A few simple tips can help keep you safe in situations like this.\\n\\n * Only download software from official and trusted sources. Avoid clicking links that promise to deliver that software on social media, in emails, or on other unfamiliar websites.\\n * Use a real-time, up-to-date anti-malware solution to block threats before they can run.\\n\\n\\n\\n## Analysis\\n\\nThe original file was called `winrar-x64-713scp.zip` and the initial analysis with Detect It Easy (DIE) already hinted at several layers.\\n\\nDetect It Easy first analysis: 7-Zip, UPX, SFX \u2014 anything else?\\n\\nUnzipping the file produced `winrar-x64-713scp.exe` which turned out to be a UPX packed file that required the `–force` option to unpack it due to deliberate PE anomalies. UPX normally aborts compression if it finds unexpected values or unknown data in the executable header fields, as that data may be required for the program to run correctly. The `–force` option tells UPX to ignore these anomalies and proceed with decompression anyway.\\n\\nLooking at the unpacked file, DIE showed yet another layer: `(Heur)Packer: Compressed or packed data[SFX]`. Looking at the strings inside the file I noticed two `RunProgram` instances:\\n\\n`RunProgram=\\”nowait:\\\\\\”1winrar-x64-713scp1.exe\\\\\\” \\”`\\n\\n`RunProgram=\\”nowait:\\\\\\”youhua163`\\n\\nThese commands tell the SFX archive to run the embedded programs immediately after extraction, without waiting for it to complete (`nowait`).\\n\\nUsing PeaZip, I extracted both embedded files.\\n\\n\\n\\nThe Chinese characters \\”`\u5b89\u88c5`\\” complicated the string analysis, but they translate as \u201cinstall,\u201d which further piqued my interest. The file `1winrar-x64-713scp1.exe` turned out to be the actual WinRAR installer, likely included to ease suspicion for anyone running the malware.\\n\\nAfter removing another layer, the other file turned out to be a password-protected zip file named setup.hta. The obfuscation used here led me to switch to dynamic analysis. Running the file on a virtual machine showed that setup.hta is unpacked at runtime directly into memory. The memory dump revealed another interesting string: `nimasila360.exe`.\\n\\nThis is a known file often created by fake installers and associated with the Winzipper malware. Winzipper is a known Chinese-language malicious program that pretends to be a harmless file archive so it can sneak onto a victim\u2019s computer, often through links or attachments. Once opened and installed, it quietly deploys a hidden backdoor that lets attackers remotely control the machine, steal data, and install additional malware, all while the victim believes they’ve simply installed legitimate software.\\n\\n## Indicators of Compromise (IOCs)\\n\\n**Domains:**\\n\\nwinrar-tw[.]com\\n\\nwinrar-x64[.]com\\n\\nwinrar-zip[.]com\\n\\n**Filenames:**\\n\\nwinrar-x64-713scp.zip\\n\\nyouhua163\u5b89\u88c5.exe\\n\\nsetup.hta (dropped in `C:\\\\Users\\\\{username}\\\\AppData\\\\Local\\\\Temp`)\\n\\nMalwarebytes’ web protection component blocks all domains hosting the malicious file and installer.\\n\\n![Malwarebytes blocks winrar-tw\\\\[.\\\\]com](https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2026\/01\/blocked.png)Malwarebytes blocks winrar-tw[.]com”,”published”:”2026-01-08T10:36:15″,”modified”:”2026-01-08T10:36:15″,”type”:”malwarebytes”,”title”:”Fake WinRAR downloads hide malware behind a real installer”,”source”:””,”references”:””,”id”:”MALWAREBYTES:EA9E84B6F64E772C8D3E60C3291AF6C3″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/01\/fake-winrar-downloads-hide-malware-behind-a-real-installer”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-08T12:05:07″,”description”:”A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-34611","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n