Archiving utilities, originally meant to make file storage and sharing easier, are now widely used not only by ordinary users but also by cybercriminals. Malicious archives regularly appear in both targeted intrusions and ransomware campaigns. Attackers rely on them to slip past security defenses, mislead victims, and extract stolen information. Because of this, cybersecurity and IT teams must carefully consider how archives are processed in operating systems, corporate applications, and security platforms. Below are some of the main ways archives are weaponized.
Using archives to dodge “Mark of the Web” protections
Certain archivers have quirks and weaknesses that, when unpacked in Windows, may result in files not being marked as “downloaded from the internet” (Mark of the Web, or MotW). Technically, MotW is stored in an NTFS alternate data stream: Zone.Identifier. If the ZoneID indicates an external source (value 3 or 4), Windows issues a warning when the file is executed, and Microsoft Office defaults to Protected View for documents.
Cybercriminals exploit these flaws to bypass this safeguard. A recent case was CVE-2025-31334 in WinRAR, but there are others such as CVE-2025-0411 in 7-Zip and CVE-2024-8811 in WinZip. Some archivers ignore MotW completely, only apply it to certain file types, or only under certain unpacking conditions. A detailed comparison of MotW support is available on GitHub.
Triggering malware execution via archiver flaws
In some scenarios, simply viewing the contents of an archive or opening what appears to be a harmless file can trigger malware execution due to archiver vulnerabilities. One such case is CVE-2024-11477, a bug in the Zstandard compression algorithm used by 7-Zip. While this hasn’t yet been exploited in the wild, CVE-2023-38831 in WinRAR was heavily abused by attackers ranging from nation-state espionage groups to cybercriminal brokers. This bug allowed malicious executables to be launched by simply previewing an image inside the archive.
In March 2025, researchers found a similar issue in an unexpected place: the Vim text editor. Its built-in tar.vim plugin lets users edit files directly from TAR archives. CVE-2025-27423 enabled arbitrary shell commands to be executed when handling a tampered archive.
Server takeover through archive uploads
When a web application accepts archive uploads (for example, through file submission forms), flaws in archive unpacking can be exploited to compromise the server. A well-known method is Zip Slip, which leverages symbolic links and directory traversal to overwrite files outside the intended directory. Numerous ZIP-handling libraries were vulnerable, with over 20 CVEs documented — see this GitHub list.
Even though Zip Slip has been public since 2018, similar weaknesses are still being discovered — including a pentest in 2025 and CVE-2024-12905 in tar-fs.
Corrupted archives to evade detection
Some attackers deliberately damage archive contents so that automated scanners fail to fully analyze them, while victims can still restore and open the files manually. A recent case was the abuse of Microsoft Office’s recovery feature. Since Office files are essentially ZIP-based, security tools may fail to parse corrupted archives, but Word can repair and open them successfully.
Obscure formats for concealment
Beyond ZIP, RAR, and TAR, attackers often turn to disk images (ISO, IMG, VHD), Windows archives (CAB, MSI), and even outdated or obscure formats like ARJ, ACE, ICE. Many security tools struggle with these, though modern archivers like WinRAR still support them.
Nesting archives (“Matryoshka” technique)
Email filters and scanners often have size or depth limits to reduce resource usage. By nesting multiple layers of archives, attackers can slip malicious files into the deepest levels where automated scans are less likely to reach.
Exploiting legitimate archive functions
Attackers often mix technical tricks with social engineering to manipulate victims into opening archives without triggering alarms. Examples include:
Encrypted archives. Still a popular tactic: victims receive a password-protected archive, with the password sent separately or embedded in the message (“Password is the current year twice”). This was widely used in Emotet campaigns.
Self-extracting archives. Once practical before native OS support, today they are abused to deliver malware. For instance, the NeedleDropper attack used one to install AutoIT plus a malicious script in one step.
Hybrid methods. Some attacks combine the two, with a self-extracting archive containing a password-protected archive inside.
Fake extensions. A classic trick is disguising malware as a “.pdf.exe” with a PDF icon, fooling less tech-savvy users.
Multi-part archives. Originally used for splitting across CDs or drives, this feature now helps hide malware since some scanners don’t inspect parts like R01, R02, etc.
Polyglot files. Files crafted to behave differently depending on the application. One recent attack by Head Mare combined a ZIP and EXE in one, opening as a harmless ZIP but executing malware when launched differently. Another variant merged two archives into a single file.
Launch-only self-extractors. Some real-world attacks used archives with no files at all — just commands to launch PowerShell or CMD, useful for “Living off the Land” techniques.
Data theft via archiving
Compressing and encrypting stolen data before exfiltration is a standard technique documented in MITRE ATT&CK T1560. Attackers may use built-in system tools, custom libraries, or combine multiple approaches, such as Windows utilities with simultaneous archiving (diantz).
Best practices for secure archive handling
Organizations should adapt protective measures according to their size, sector, and risk profile. To reduce exposure:
Test security solutions with edge cases like corrupted, exotic, or polyglot archives. If direct testing isn’t feasible, confirm with your vendor. At a minimum, validate email gateways, firewalls, and EDR/XDR tools. For example, ImgConvert Secure Mail Gateway includes sandboxing to block malicious attachments.
Ensure safe extraction. Confirm that your tools can analyze nested and oversized archives. Mail filters may sandbox attachments, while NGFWs might only check metadata. For oversized archives, block or quarantine instead of allowing unchecked access.
Ban risky archives. Block exotic or self-extracting formats unless strictly required. Use allowlists to limit which archivers can run in your environment, and disable unnecessary OS archivers. Ensure approved tools support MotW.
Disable auto-mounting of disk images. These behave similarly to archives and are often abused. Turn them off via group policies unless absolutely required.
Monitor archiver use. EDR and SIEM/XDR should detect unusual activity: launching files from temp folders, creating password-protected or oversized archives, or archiving network-shared files.
Restrict archive uploads in web apps. If not business-critical, disable. If necessary, ensure uploads are monitored by an EDR agent, apps are patched regularly, and directory permissions are tightly controlled.
Keep archivers updated as part of your vulnerability management cycle. Treat them with the same urgency as OS and office software patches.
Employee training. Teach staff to handle archives safely: be cautious of pop-ups, only use company-approved archivers, and immediately report any archive prompting for a password.