Is it illegal to distribute malware? I see security researchers doing it all the time for analysis purposes.

No, it is not illegal to distribute malware by itself, but it is illegal to trick people into installing malware. The latter was the goal of the XZ contributor.

I assume you're talking from a USC perspective? Can you say which specific law, chapter, and clause applies?

I would somewhat agree, but then come to mind "what is the "legal" definition of malware ?".

Some people would say that most drm software would act like malware/ransomware.

And tricking people to install such software is only matter of an ambiguously worded checkbox.

specifically, thevCFAA covers distribution of malicious software without the owners consent. Security researchs downloading malware implicitly give consent to be downloading malware marked as such.