From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
Ah. Those work by having a valid zip at the end (and extraction code in front), taking advantage of the zip format allowing for arbitrary data before the actual zip data (which in turn was intended to facilitate this sort of thing).
It hadn't occurred to me that the .exe in question would be a self-extracting archive (or malicious code that also involves self-extracting an archive as part of the malicious working).
File roller does use 7z internally, so no real surprise here.
But both implementations can be vulnerable to malicious exe files, so it's not a great idea to do this with a file you already suspect to be malicious.
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."