Security measures for handling archive files in organizations

[harlan4096]

Archives are being used in targeted phishing and other attacks on organizations. What tools, settings, and policies can mitigate the threat?
 
Archiving programs designed to simplify file storage and transfers have become common tools not only for users but also for attackers. Malicious archives are regularly found in both targeted attacks and ransomware incidents. Attackers mainly use them to bypass security measures, deceive users, and, of course, extract stolen data. This means cybersecurity and IT departments should pay close attention to how archives are handled in operating systems, business applications, and security tools. Let’s now look at how attackers can use archives.

Delivering malware by bypassing “Mark of the Web” warnings

Due to the logical features and vulnerabilities of certain archivers, when unpacked in Windows, the extracted files may not receive the “downloaded from the internet” attribute (Mark of the Web, or MotW). Technically, these attributes are stored in an NTFS alternate data stream: Zone.Identifier. If this identifier points to an external source (ZoneID = 3 or 4), Windows shows a warning when you attempt to run the executable file, and Office automatically opens potentially unsafe documents in Protected View.

By exploiting flaws in archivers, attackers bypass this layer of protection. The most recent vulnerability of this type is CVE-2025-31334 in WinRAR, but there are others: CVE-2025-0411 in 7-Zip, CVE-2024-8811 in WinZip, and more. Note that some archivers don’t support MotW at all, and only apply it to certain file extensions, or only do so when files are unpacked in a certain way. A table comparing MotW support in archivers is available on GitHub.

Automatic malware execution via archiver vulnerabilities

When a user performs a seemingly safe action (like viewing an archive or opening a harmless-looking file within it), under certain conditions the archiver can execute a malicious file or shellcode. A recent example of such a vulnerability was CVE-2024-11477 in the Zstandard algorithm, used by 7-Zip for compression. This flaw hasn’t been seen in real-world attacks yet — unlike CVE-2023-38831 in WinRAR, which was widely exploited by attackers ranging from APT espionage groups to initial access brokers. This WinRAR vulnerability allowed execution of a file from an archive when trying to view an image if the EXE file was placed in a folder with the same name as the image.

In March 2025, a similar defect was discovered in an unusual place — the Vim editor, popular among *nix users. Its standard tar.vim plugin lets users view and edit files directly inside TAR archives. CVE-2025-27423 allowed arbitrary shell command execution when editing a file from a malicious archive.

Continue Reading...