Archiving applications designed to simplify file storage and transfers have turn out to be frequent instruments not just for customers but additionally for attackers. Malicious archives are commonly present in each focused assaults and ransomware incidents. Attackers primarily use them to bypass safety measures, deceive customers, and, after all, extract stolen information. This implies cybersecurity and IT departments ought to pay shut consideration to how archives are dealt with in working programs, enterprise functions, and safety instruments. Let’s now have a look at how attackers can use archives.
Delivering malware by bypassing “Mark of the Internet” warnings
Because of the logical options and vulnerabilities of sure archivers, when unpacked in Home windows, the extracted recordsdata might not obtain the “downloaded from the web” attribute (Mark of the Internet, or MotW). Technically, these attributes are saved in an NTFS alternate information stream: Zone.Identifier. If this identifier factors to an exterior supply (ZoneID = 3 or 4), Home windows exhibits a warning once you try and run the executable file, and Workplace mechanically opens doubtlessly unsafe paperwork in Protected View.
By exploiting flaws in archivers, attackers bypass this layer of safety. The newest vulnerability of this sort is CVE-2025-31334 in WinRAR, however there are others: CVE-2025-0411 in 7-Zip, CVE-2024-8811 in WinZip, and extra. Observe that some archivers don’t help MotW in any respect, and solely apply it to sure file extensions, or solely achieve this when recordsdata are unpacked in a sure approach. A desk evaluating MotW help in archivers is obtainable on GitHub.
Automated malware execution through archiver vulnerabilities
When a person performs a seemingly secure motion (like viewing an archive or opening a harmless-looking file inside it), underneath sure circumstances the archiver can execute a malicious file or shellcode. A current instance of such a vulnerability was CVE-2024-11477 within the Zstandard algorithm, utilized by 7-Zip for compression. This flaw hasn’t been seen in real-world assaults but — not like CVE-2023-38831 in WinRAR, which was broadly exploited by attackers starting from APT espionage teams to preliminary entry brokers. This WinRAR vulnerability allowed execution of a file from an archive when making an attempt to view a picture if the EXE file was positioned in a folder with the identical identify because the picture.
In March 2025, an analogous defect was found in an uncommon place — the Vim editor, widespread amongst *nix customers. Its normal tar.vim plugin lets customers view and edit recordsdata straight inside TAR archives. CVE-2025-27423 allowed arbitrary shell command execution when enhancing a file from a malicious archive.
Server compromise through archive uploads
If a corporation has a public net app that may deal with archive uploads (similar to attaching recordsdata to varieties), vulnerabilities in archive unpacking can be utilized to hijack servers. A traditional methodology is Zip Slip, which makes use of symbolic hyperlinks in archives to bypass enter sanitization and exploit path traversal vulnerabilities to compromise server-side functions. An inventory of assorted ZIP-handling libraries the place this vulnerability has been patched (there are over 20 CVEs) is obtainable on GitHub. It’s price trying out to see what number of situations of software program might be affected by this flaw.
Though Zip Slip was first described in 2018, logical flaws in server-side archive unpacking are nonetheless frequent — as seen in this 2025 pentest and the current vulnerability CVE-2024-12905 in tar-fs.
Bypassing safety with corrupted archives
Attackers might deliberately corrupt archive contents in order that automated scanners and safety instruments fail to investigate them absolutely. Nonetheless, the sufferer can nonetheless manually get well and open the respective file with minimal effort. A current instance is the exploitation of MS Workplace’s “doc restoration” function — since Workplace recordsdata are primarily ZIP archives. Safety instruments and archivers might fail to scan such paperwork, however Phrase can restore and open them.
Masking malware with unique codecs
Past frequent codecs like ZIP, RAR, and TAR/TAR.GZ, attackers steadily use disk picture recordsdata (ISO, IMG, VHD), Home windows archives (CAB, MSI), and even legacy or obscure archive varieties: ARJ, ACE, ICE, and others. Safety instruments usually don’t deal with these properly, whereas trendy common archivers like WinRAR can nonetheless open them.
Disguising malware utilizing the Matryoshka methodology
Mail scanners and different safety instruments usually have configurable limits to cut back server load (for instance, they could skip scanning very massive recordsdata or nested archives). If an attacker creates a “matryoshka doll” (aka a “Russian doll”), of a number of nested archives, there’s a better likelihood that the innermost archive gained’t be mechanically scanned within the focused group.
Bypassing safety instruments and tricking customers utilizing professional archive options
Attackers usually mix social engineering and technical tips to get customers to carry out desired actions with archives with out triggering safety alerts. These methods embody the next:
Encrypted archives. A traditional trick from the early 2000s, which nonetheless works as we speak. The sufferer receives a password-protected archive, and the password is both despatched in a separate e mail or immediate message, or hinted at throughout the unique e mail itself: “The password is the present 12 months repeated twice”. For instance, this methodology was used within the Emotet malware campaigns.
Self-extracting archives. These had been initially helpful within the days earlier than archive utilities had been constructed into all working programs. Right this moment, they permit attackers to simply set up malware by bundling all the required parts right into a single file. As an example, the NeedleDropper assault used a self-extracting archive to extract a preferred professional device, AutoIT, together with malicious AutoIT scripts, which had been then executed. The attacker merely must trick the sufferer into working the archive.
A mixture of the above. Some assaults use self-extracting archives that, as soon as executed, unpack a password-protected interior archive. Technically, this password is saved throughout the outer archive, however few safety instruments can detect it there and use.
Double-extension archives. One other traditional is a self-extracting archive with a “.pdf.exe” extension and an Acrobat Reader icon assigned by the archiver. For victims who will not be too IT-savvy, these tips are nonetheless convincing.
Multi-volume archives. This perform was initially used to separate massive recordsdata throughout CDs, flash drives and so forth. Right this moment, this rarely-used function remains to be supported by archivers. Attackers use it to divide malware amongst volumes, or bypass scanning completely, as some instruments are configured solely to scan ZIP or RAR recordsdata, however not R01, R02, and so forth.
Polyglot recordsdata. Attackers can mix completely different file varieties right into a single one, so, for instance, one app opens the file as a PDF and one other as a ZIP archive. This works partially as a result of technical ZIP file headers are positioned on the finish of the file, not at the start. We just lately coated an assault by the Head Mare group, the place phishing emails contained a polyglot file fabricated from each a malicious EXE file (with the PhantomPyramid backdoor) and a small, innocent ZIP archive. When clicked usually, it might open as a ZIP, however when launching the shortcut inside, the identical polyglot file would execute as an EXE through PowerShell. One other model of the identical methodology combines two archives in a single polyglot file.
Self-extracting archives as launch instruments. A extra unique variant — which has been seen in precise assaults — entails self-extracting archives that include no precise recordsdata however embody post-extraction instructions to launch system instruments like PowerShell or CMD, that are frequent in LotL assaults.
Knowledge exfiltration
Compressing information and encrypting an archive earlier than exiting the attacked community is properly documented underneath MITRE ATT&CK method T1560. Attackers use all choices obtainable: all the things from fundamental archive instruments on contaminated machines to widespread archiving libraries constructed into the malware. In LotL assaults, attackers can mix methods, utilizing Home windows utilities to gather recordsdata from different hosts and concurrently archive them (diantz).
Protecting measures when dealing with archives
These measures must be prioritized and tailored primarily based on the profile of your group, division, and position. To guard your self:
Check your safety instruments with tough instances: unique archive codecs, corrupted archives, and polyglot recordsdata. If direct testing is tough, ask your vendor’s tech-support whether or not these instances are coated. At a minimal, take a look at your mail gateway, NGFW, EDR/XDR answer, and sandbox (if it’s a separate answer). For instance, in Kaspersky Safe Mail Gateway, the sandbox is an integral a part of the safety structure and prevents most malicious attachments from opening.
Arrange secure extraction. Guarantee your safety answer can scan deeply nested archives and enormous recordsdata. Completely different instruments will differ on this space: whereas mail filters can totally scan attachments and detonate them in a sandbox, NGFWs will in all probability simply verify the status of the archive itself and its seen recordsdata. Subsequently, deeper evaluation must be used on each endpoints and mail gateways, whereas net filters and NGFWs ought to apply lighter checks inside their limitations. In any case, archives that exceed cheap evaluation capabilities must be blocked or quarantined.
Block harmful archives. Importing archives in unique codecs, in addition to self-extracting archives, isn’t mandatory, so this performance might be blocked on hosts. Moreover, utilizing trusted software administration (apps allowlist, software management), you possibly can prohibit the execution of all archivers besides the one or two which can be permitted and really used throughout the group. It’s necessary to investigate the usage of built-in OS archiving instruments and block people who aren’t utilized by workers or the IT division. Ensure that not one of the authorised instruments for Home windows machines are ones that don’t have any help for Mark-of-the-Internet (MotW).
Block automated mounting of disk photos. Though disk photos will not be precisely archives, attackers use them in related methods. Utilization of disk photos must be disabled by way of group coverage for all workers who don’t want it for professional enterprise functions.
Monitor the usage of archivers on endpoints. Be certain that your EDR answer and monitoring instruments (SIEM, XDR) have guidelines to assist detect suspicious exercise associated to archives: launching recordsdata from non permanent folders, launching processes from inside an archiver, and so forth. Monitoring can be wanted to detect information theft makes an attempt indicated by archiving information from community folders, creating password-protected archives, creating very massive archives, and so forth.
Limit the usage of archives in server-side functions. If importing archived recordsdata is just not a critically necessary enterprise perform, it’s higher to disable this function in CMS, CRM, and different on-line functions. Guaranteeing its safety might be difficult. If archives are required, make certain that the folders the place these archives are uploaded are monitored by an EDR agent on the server, that the server software itself is up to date commonly, and that the permissions granted to the applying don’t enable it to write down recordsdata to any folders outdoors its designated directories.
Embody archivers and archive-processing functions in your vulnerability administration program. Archivers must be up to date no much less steadily than the working system and workplace software program.
Practice workers. Cybersecurity coaching for workers ought to cowl phishing in addition to common guidelines for secure dealing with of archives: take note of any pop-ups or sudden prompts when opening acquainted file varieties (DOC, PDF), solely extract archives utilizing the archiving software authorised by the corporate, and if an archive instantly prompts for a password upon clicking the file, don’t extract it underneath any circumstances and instantly report it to the safety group.
