{
	"id": "a1e1a7ea-a7c7-467c-bea3-3cb668c7e1ff",
	"created_at": "2026-04-06T00:13:48.671769Z",
	"updated_at": "2026-04-10T03:21:51.354457Z",
	"deleted_at": null,
	"sha1_hash": "76021e4b94475bd6bb08a1b3d445b8f809838fe3",
	"title": "Self-Extracting Archives, Decoy Files and Their Hidden Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1894764,
	"plain_text": "Self-Extracting Archives, Decoy Files and Their Hidden Payloads\r\nBy Jai Minton - Falcon OverWatch Team\r\nArchived: 2026-04-05 23:43:44 UTC\r\nSelf-extracting (SFX) archive files have long served the legitimate purpose of easily sharing compressed files with\r\nsomeone who lacks the software to decompress and view the contents of a regular archive file. However, SFX\r\narchive files can also contain hidden malicious functionality that may not be immediately visible to the file’s\r\nrecipient, and could be missed by technology-based detections alone.\r\nThe CrowdStrike® Falcon OverWatch™ team recently observed the use of a seemingly empty SFX archive as part\r\nof an interactive intrusion. Deeper investigation uncovered that this file — which could easily be overlooked by\r\ndefenders — had the potential to provide the adversary with a persistent backdoor to the victim environment when\r\npaired with a specific registry key.\r\nWatch this short video to see how Falcon OverWatch proactively hunts for threats in your environment.\r\nSFX Archives in Business Environments\r\nSFX archives are executable files that function by appending the content to be archived to a decompressor stub,\r\nwhich is what is executed upon running the file. This stub seamlessly decompresses and displays the file contents,\r\nsaving the recipient from requiring specialized software.\r\nPE File Header\r\nDecompressor/Method Stub (the executable code)\r\nArchive File Overlay (the content to be shared)\r\nFigure 1. Standard SFX archive format Because of the ubiquitous nature of unarchiving software, SFX archives\r\nare far less common in corporate settings than their standard compressed archive counterparts. Although many\r\nsoftware installers may also use an SFX archive for ease of installation, use of these archives is gaining traction\r\namong adversaries as a way of bypassing security tools and running malicious code.\r\nNot All SFX Archives Are Equal\r\nA wide variety of SFX decompressor stubs are in use, depending on the product used to create an SFX archive,\r\nand not all products have the same functionality. Many of these tools are widely available and are user-friendly to\r\noperate. Two examples of software that allow the creation of an SFX archive are 7-Zip and WinRAR — each has a\r\nspecific version of a decompressor stub, and both have features that can be used or abused.\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 1 of 11\n\nFigure 2. 7-Zip standard SFX archive prompt (click to enlarge)\r\nFigure 3. WinRAR standard SFX archive prompt (click to enlarge)\r\nPassword-Protected SFX Archives\r\nPassword-protected SFX archives are more likely to be seen in business environments where a commercial\r\nproduct is used to protect a file by encrypting it and requiring a password for access. The resulting file is often an\r\nSFX archive with an executable extension that can only be accessed if the correct password is given. This same\r\nmethod of protecting files has also been used to facilitate intrusions.\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 2 of 11\n\nFigure 4. Example of WinRAR encrypted SFX archive prompt (click to enlarge)\r\nFigure 5. Example of 7-Zip encrypted SFX archive prompt (click to enlarge)\r\nA Trustwave blog post published in October 2022 details how the notorious Emotet botnet was sending out an\r\nSFX archive that, once opened by a user, would automatically extract a second password-protected SFX archive,\r\nenter the password, and execute its content without further user input. The archive also displayed a decoy file to\r\navoid raising suspicions.\r\nNew evidence indicates that core SFX archive functionality is being abused in different ways.\r\nThe Curious Case of an Empty Archived File\r\nFalcon OverWatch threat hunters recently discovered an adversary attempting to establish persistence through the\r\nuse of an Image File Execution Options debugger after gaining access to a system using compromised credentials.\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 3 of 11\n\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.e\r\nThis command line attempts to configure a debugger in the Windows registry to pass utilman.exe as a\r\nparameter to the specified debugger executable whenever utilman.exe is run. Utilman.exe is an accessibility\r\napplication that can be run before user login. As such, it is commonly abused by adversaries to run a binary of\r\ntheir choosing at the Windows logon screen (commonly cmd.exe ), bypassing the need to authenticate to a system\r\nshould they lose access to any compromised credentials they were using. In addition, binaries run through this\r\nmethod are executed under the local system account (NT AUTHORITY\\SYSTEM), which allows running\r\ncommands with higher privileges than that of a standard administrator account.\r\nFigure 6. Example of Utilman administrative command prompt at logon screen (click to enlarge)\r\nAlthough the abuse of utilman.exe is not a novel technique, the binary the Image File Execution Options key\r\nwas pointing to was an SFX archive, which is unusual. Interestingly, this binary was password-protected, so\r\nalthough it is possible to trigger its execution with the debugger, it is not possible to unarchive without the correct\r\npassword. The execution path of this attack so far is as follows:\r\nFigure 7. Partial adversarial persistence attack chain (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 4 of 11\n\nOne of the advanced features of WinRAR SFX archive files is the ability to include extended SFX commands,\r\nwhich run upon successfully unarchiving a file. Within these commands is a setup option used to specify the\r\nexecutable, which should be run following successful unarchiving. This is commonly abused by adversaries to tell\r\nthe decompressor stub to run malware contained within an SFX archive once it has decompressed the malware to\r\ndisk. However, a malicious SFX archive doesn’t need to contain malware; instead it could be used to invoke a\r\nmalicious command using native tooling as part of the decompressor stub functions.\r\nUsing this information, Falcon OverWatch uncovered the underlying hidden functionality of the SFX archive file.\r\nBecause an SFX archive contains a valid archive, the metadata of each file contained within this archive is often\r\nnot encrypted and password-protected, even if the contents of those files are. Examination of the file metadata\r\nwithin this archive revealed that the archive contained an empty text file created in September 2022, and although\r\nthis could be construed as benign, this served only as a decoy at first glance when examined.\r\nCloser inspection of the SFX archive revealed that it functions as a password-protected backdoor by abusing\r\nWinRAR setup options rather than containing any malware. The file contained an archive comment that read “The\r\ncomment below contains SFX script commands” and then included several setup commands to be run:\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 5 of 11\n\nFigure 8. WinRAR setup commands used as SFX archive backdoor (click to enlarge)\r\nThese comments are appended to any SFX archive created using advanced options to ensure the decompressor\r\nstub knows to automatically overwrite any existing files when extracting the archive, hide any dialogs involved\r\nwith this process, and upon finishing run powershell.exe , cmd.exe and taskmgr.exe . Creation of such a file\r\nthrough WinRAR shows these settings under “Advanced SFX options.”\r\nFigure 9. Example of WinRAR advanced SFX setup options (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 6 of 11\n\nFigure 10. Example of WinRAR advanced SFX overwrite options (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 7 of 11\n\nFigure 11. Example of WinRAR advanced SFX silent options (click to enlarge)\r\nBecause this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor\r\nthat could be accessed to run PowerShell, Windows command prompt and task manager with NT\r\nAUTHORITY\\SYSTEM privileges, as long as the correct password was provided. This type of attack is likely to\r\nremain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often\r\nalso password-protected) rather than the behavior from an SFX archive decompressor stub.\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 8 of 11\n\nFigure 12. Complete adversarial persistence attack chain (click to enlarge)\r\nRecreating this attack in a lab environment shows the outcome of running the ease-of-access utilman.exe\r\nbinary.\r\nFigure 13. Example of backdoored SFX archive execution at logon screen (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 9 of 11\n\nFigure 14. Example of backdoored SFX archive execution with correct password at logon screen (click to enlarge)\r\nFalcon OverWatch Threat Hunters Recommend Proactive Defense in the Face of\r\nWidespread SFX Archive Abuse\r\nHunting across public and private malware repositories found a plethora of WinRAR SFX archives designed to\r\nfunction in different ways. These samples included some that act as download cradles designed to retrieve and\r\ninvoke a remote payload in memory, some that unarchive a script used to launch malware contained within it, and\r\nsome that launch malware within the archive but also display a decoy document to the user. Malicious samples\r\nthat were either password-protected or that contained benign files but used WinRAR setup parameters to execute\r\nmalicious commands had relatively low detection rates, either at submission or in some cases even after being\r\npublicly available for multiple years. This indicates that abuse of WinRAR SFX archives will likely continue\r\nbeing an effective means for an adversary to remain undetected, now and in the future.\r\nBecause of the widespread abuse of SFX archives, it’s important to understand the extended functionality\r\nprovided by some SFX archives, and the various ways adversaries are leveraging these in their intrusions. Some of\r\nthe ways they’re being abused include:\r\n1. Encrypting a malicious script or executable in an SFX archive that extracts and executes once a correct\r\npassword is provided.\r\n2. Compressing a benign file while attaching malicious commands to be run as an archive comment that are\r\nevaluated as part of the SFX archive decompressor stub (in this instance, we note the use of WinRAR setup\r\nparameters).\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 10 of 11\n\n3. Displaying a decoy document from within an archive while silently running a malicious script or\r\nexecutable upon execution.\r\nTo combat this, security professionals should:\r\n1. Examine SFX archives through unarchiving software or other tools to view any potential scripts or\r\nexecutables that are set to extract and run upon execution.\r\n2. Look beyond what is contained within an SFX archive, and examine the functionality provided by the SFX\r\narchive decompressor stub itself to identify any commands that will be run either during, before or after\r\nsuccessful extraction.\r\n3. Develop a process to validate if a password-protected SFX archive contains malicious or suspicious\r\ncontent.\r\n4. Thoroughly examine any SFX archive that contains only a null-byte file for any added functionality.\r\n5. Wherever possible, use installed unarchiving software to extract or view a SFX archive rather than running\r\nthe SFX archive itself. Because the archive exists as an overlay, it can also be carved out from the\r\nexecutable using a hex editor if required.\r\nAdditional Resources\r\nLearn more about Falcon OverWatch’s proactive managed threat hunting.\r\nDiscover the power of tailored threat hunting provided by Falcon OverWatch Elite.\r\nFind out why part-time threat hunting is simply not enough.\r\nLearn more about the CrowdStrike Falcon® platform.\r\nSource: https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nhttps://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
	],
	"report_names": [
		"self-extracting-archives-decoy-files-and-their-hidden-payloads"
	],
	"threat_actors": [],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76021e4b94475bd6bb08a1b3d445b8f809838fe3.pdf",
		"text": "https://archive.orkl.eu/76021e4b94475bd6bb08a1b3d445b8f809838fe3.txt",
		"img": "https://archive.orkl.eu/76021e4b94475bd6bb08a1b3d445b8f809838fe3.jpg"
	}
}