{
	"id": "42ceb4ba-6267-49a5-8823-7028f6a26145",
	"created_at": "2026-04-06T00:15:14.239415Z",
	"updated_at": "2026-04-10T03:21:50.597945Z",
	"deleted_at": null,
	"sha1_hash": "2ecc8844f755cdd3b19313c215469a57785b9718",
	"title": "Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 410934,
	"plain_text": "Hackers Using Self-Extracting Archives Exploit for Stealthy\r\nBackdoor Attacks\r\nBy The Hacker News\r\nPublished: 2023-04-05 · Archived: 2026-04-05 22:03:37 UTC\r\nAn unknown threat actor used a malicious self-extracting archive (SFX) file in an attempt to establish persistent\r\nbackdoor access to a victim's environment, new findings from CrowdStrike show.\r\nSFX files are capable of extracting the data contained within them without the need for dedicated software to\r\ndisplay the file contents. It achieves this by including a decompressor stub, a piece of code that's executed to\r\nunpack the archive.\r\n\"However, SFX archive files can also contain hidden malicious functionality that may not be immediately visible\r\nto the file's recipient, and could be missed by technology-based detections alone,\" CrowdStrike researcher Jai\r\nMinton said.\r\nIn the case investigated by the cybersecurity firm, compromised credentials to a system were used to run a\r\nlegitimate Windows accessibility application called Utility Manager (utilman.exe) and subsequently launch a\r\npassword-protected SFX file.\r\nhttps://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html\r\nPage 1 of 3\n\nThis, in turn, is made possible by configuring a debugger (another executable) in the Windows Registry to a\r\nspecific program (in this case, utilman.exe) so that the debugger is automatically started every time the program is\r\nlaunched.\r\nThe abuse of utilman.exe is also noteworthy as it can be launched directly from the Windows login screen by\r\nusing the Windows logo key + U keyboard shortcut, potentially enabling threat actors to configure backdoors via\r\nthe Image File Execution Options Registry key.\r\n\"Closer inspection of the SFX archive revealed that it functions as a password-protected backdoor by abusing\r\nWinRAR setup options rather than containing any malware,\" Minton explained.\r\nSpecifically, the file is engineered to run PowerShell (powershell.exe), Command Prompt (cmd.exe), and Task\r\nManager (taskmgr.exe) with NT AUTHORITY\\SYSTEM privileges by providing the right password to the\r\narchive.\r\n\"This type of attack is likely to remain undetected by traditional antivirus software that is looking for malware\r\ninside of an archive (which is often also password-protected) rather than the behavior from an SFX archive\r\ndecompressor stub,\" Minton added.\r\nhttps://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html\r\nPage 2 of 3\n\nThis is not the first time SFX files have been employed in attacks as a means for attackers to stay undetected. In\r\nSeptember 2022, Kaspersky disclosed a malware campaign that utilized links to such password-protected files\r\nto propagate RedLine Stealer.\r\nA month later, the infamous Emotet botnet was observed sending out an SFX archive that, once opened by a user,\r\nwould automatically extract a second password-protected SFX archive, enter the password, and execute its content\r\nwithout further user interaction using a batch script.\r\nTo mitigate threats posed by this attack vector, it's recommended that SFX archives are analyzed through\r\nunarchiving software to identify any potential scripts or binaries that are set to extract and run upon execution.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html\r\nhttps://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html"
	],
	"report_names": [
		"hackers-using-self-extracting-archives.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434514,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ecc8844f755cdd3b19313c215469a57785b9718.pdf",
		"text": "https://archive.orkl.eu/2ecc8844f755cdd3b19313c215469a57785b9718.txt",
		"img": "https://archive.orkl.eu/2ecc8844f755cdd3b19313c215469a57785b9718.jpg"
	}
}