top of page
  • Clipeus

Malicious Russian Language 7z Version Distributed Via Microsoft Store

QiAnXin Threat Intelligence Center reports a campaign distributing various information stealers, including Redline, LummaC2, and Amadey, via a Russian-language trojanized version of 7z on the Microsoft Store. The threat has been ongoing since at least January 2023.

According to the QiAnXin Threat Intelligence Center report, it remains unclear how the attacker successfully uploaded the trojanized application onto the Microsoft Store.

The following attack chain includes:

  • Download of the malicious 7s-soft.exe Russian version;

  • The malicious file is responsible for installing a Java virtual machine (JVM), which provides evasion capability for the subsequent infection;

  • The JVM is used to compile malicious code that initiates communication with the command-and-control (C2) server, leading to the download of a second-stage malware consistent with the information stealers reported above.

Payloads were stored on WordPress sites redirecting to attacker-controlled resources, a technique which QiAnXin attributes to Russian-speaking actors. However, the primary vector being a Russian language application may suggest Russian language users were in fact the primary target of the supply chain poisoning attack. In contrast with this hypothesis, QiAnXin researchers found the majority of downloads occurred in Asia and particularly China; however, that may be due to the analytical focus of the research they carried out.

According to the same report, registration records for the domains used for the campaign resolve to registrants based in Russia and Ukraine.

Recent Posts

See All

AcidPour Wiper Targets Linux Devices in Ukraine

A new iteration of the AcidRain wiper malware, dubbed AcidPour, has been identified by SentinelOne's threat intelligence division, SentinelLabs. AcidRain, linked to Russian military intelligence, gain


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page