Archiving programs designed to simplify file storage and transfers have become common tools not only for users but also for attackers. Malicious archives are regularly found in both targeted attacks and ransomware incidents. Attackers mainly use them to bypass security measures, deceive users, and, of course, extract stolen data. This means cybersecurity and IT departments should pay close attention to how archives are handled in operating systems, business applications, and security tools. Let\u2019s now look at how attackers can use archives.<\/p>\n
Due to the logical features and vulnerabilities of certain archivers, when unpacked in Windows, the extracted files may not receive the \u201cdownloaded from the internet\u201d attribute (Mark of the Web<\/a>, or MotW). Technically, these attributes are stored in an NTFS alternate data stream: Zone.Identifier. If this identifier points to an external source (ZoneID = 3 or 4), Windows shows a warning when you attempt to run the executable file, and Office automatically opens potentially unsafe documents in Protected View.<\/p>\n By exploiting flaws in archivers, attackers bypass this layer of protection<\/a>. The most recent vulnerability of this type is CVE-2025-31334<\/a> in WinRAR, but there are others: CVE-2025-0411<\/a> in 7-Zip, CVE-2024-8811<\/a> in WinZip, and more. Note that some archivers don\u2019t support MotW at all, and only apply it to certain file extensions, or only do so when files are unpacked in a certain way. A table comparing MotW support in archivers is available on GitHub<\/a>.<\/p>\n When a user performs a seemingly safe action (like viewing an archive or opening a harmless-looking file within it), under certain conditions the archiver can execute a malicious file or shellcode. A recent example of such a vulnerability was CVE-2024-11477<\/a> in the Zstandard algorithm, used by 7-Zip for compression. This flaw hasn\u2019t been seen in real-world attacks yet \u2014 unlike CVE-2023-38831<\/a> in WinRAR, which was widely exploited by attackers ranging from APT espionage groups<\/a> to initial access brokers<\/a>. This WinRAR vulnerability allowed execution of a file from an archive when trying to view an image if the EXE file was placed in a folder with the same name as the image.<\/p>\n In March 2025, a similar defect was discovered in an unusual place \u2014 the Vim editor, popular among *nix users. Its standard tar.vim plugin lets users view and edit files directly inside TAR archives. CVE-2025-27423<\/a> allowed arbitrary shell command execution when editing a file from a malicious archive.<\/p>\n If an organization has a public web app that can handle archive uploads (such as attaching files to forms), vulnerabilities in archive unpacking can be used to hijack servers. A classic method is Zip Slip, which uses symbolic links in archives to bypass input sanitization and exploit path traversal vulnerabilities to compromise server-side applications.\u00a0 A list of various ZIP-handling libraries where this vulnerability has been patched (there are over 20 CVEs) is available on GitHub<\/a>. It\u2019s worth checking out to see how many instances of software can be affected by this flaw.<\/p>\n Even though Zip Slip was first described in 2018, logical flaws in server-side archive unpacking are still common \u2014 as seen in this 2025 pentest<\/a> and the recent vulnerability CVE-2024-12905 in tar-fs<\/a>.<\/p>\n Attackers may intentionally corrupt archive contents so that automated scanners and security tools fail to analyze them fully. However, the victim can still manually recover and open the respective file with minimal effort. A recent example is the exploitation of MS Office\u2019s \u201cdocument recovery\u201d feature<\/a> \u2014 since Office files are essentially ZIP archives. Security tools and archivers may fail to scan such documents, but Word can restore and open them.<\/p>\n Beyond common formats like ZIP, RAR, and TAR\/TAR.GZ, attackers frequently use disk image<\/a> files (ISO, IMG, VHD), Windows archives<\/a> (CAB, MSI), and even legacy or obscure archive types: ARJ<\/a>, ACE, ICE, and others. Security tools often don\u2019t handle these well, while modern universal archivers like WinRAR can still open them.<\/p>\n Mail scanners and other security tools often have configurable limits to reduce server load (for example, they may skip scanning very large files or nested archives). If an attacker creates a \u201cmatryoshka doll\u201d (aka a \u201cRussian doll\u201d), of several nested archives, there\u2019s a higher chance that the innermost archive won\u2019t be automatically scanned in the targeted organization.<\/p>\n Attackers often combine social engineering and technical tricks to get users to perform desired actions with archives without triggering security alerts. These techniques include the following:<\/p>\n Encrypted archives.<\/strong> A classic trick from the early 2000s, which still works today. The victim receives a password-protected archive, and the password is either sent in a separate email or instant message, or hinted at within the original email itself: \u201cThe password is the current year repeated twice\u201d. For example, this method was used in the Emotet<\/a> malware campaigns.<\/p>\n Self-extracting archives.<\/strong> These were originally useful in the days before archive utilities were built into all operating systems. Today, they allow attackers to easily install malware by bundling all the necessary components into a single file. For instance, the NeedleDropper<\/a> attack used a self-extracting archive to extract a popular legitimate tool, AutoIT, along with malicious AutoIT scripts, which were then executed. The attacker simply needs to trick the victim into running the archive.<\/p>\n A combination of the above.<\/strong> Some attacks<\/a> use self-extracting archives that, once executed, unpack a password-protected inner archive. Technically, this password is stored within the outer archive, but few security tools can detect it there and use.<\/p>\n Double-extension archives.<\/strong> Another classic is a self-extracting archive with a \u201c.pdf.exe\u201d extension and an Acrobat Reader icon assigned by the archiver. For victims who are not too IT-savvy, these tricks are still convincing.<\/p>\n Multi-volume archives.<\/strong> This function was originally used to split large files across CDs, flash drives and so on. Today, this rarely-used feature is still supported by archivers. Attackers use it to divide malware among volumes, or bypass scanning entirely, as some tools are configured only to scan ZIP or RAR files, but not R01, R02, and so on.<\/p>\n Polyglot files.<\/strong> Attackers can combine different file types into a single one, so, for example, one app opens the file as a PDF and another as a ZIP archive. This works in part because technical ZIP file headers are located at the end of the file, not at the beginning. We recently covered an attack by the Head Mare group<\/a>, where phishing emails contained a polyglot file made of both a malicious EXE file (with the PhantomPyramid backdoor) and a small, harmless ZIP archive. When clicked normally, it would open as a ZIP, but when launching the shortcut inside, the same polyglot file would execute as an EXE via PowerShell.\u00a0 Another version of the same method combines two archives in one polyglot file<\/a>.<\/p>\n Self-extracting archives as launch tools.<\/strong> A more exotic variant \u2014 which has been seen in actual attacks<\/a> \u2014 involves self-extracting archives that contain no actual files but include post-extraction commands to launch system tools like PowerShell or CMD, which are common in LotL<\/a> attacks.<\/p>\n Compressing data and encrypting an archive before exiting the attacked network is well documented under MITRE ATT&CK technique T1560<\/a>. Attackers use all options available: everything from basic archive tools on infected machines to popular archiving libraries built into the malware. In LotL attacks, attackers can combine techniques, using Windows utilities to collect files from other hosts and simultaneously archive them (diantz<\/a>).<\/p>\n These measures should be prioritized and adapted based on the profile of your organization, department, and role.\u00a0 To protect yourself:<\/p>\nAutomatic malware execution via archiver vulnerabilities<\/h3>\n
Server compromise via archive uploads<\/h3>\n
Bypassing security with corrupted archives<\/h3>\n
Masking malware with exotic formats<\/h3>\n
Disguising malware using the Matryoshka method<\/h3>\n
Bypassing security tools and tricking users using legitimate archive features<\/h3>\n
Data exfiltration<\/h3>\n
Protective measures when handling archives<\/h2>\n