7ZIP is a powerful and widely popular compressed archive format. It’s known best for the high compression ratios it offers, along with its advanced features like AES-256 encryption and support for large files. Unlike its two popular alternatives in the compressed archive space – ZIP and RAR – 7ZIP is derived from the open-source 7z format, and it requires specific software (most commonly the 7-Zip utility) to open and unpack its compressed contents.

In this article, you’ll learn more about 7ZIP files – including what they are, how they’re structured, and what sets them apart from common archive alternatives. You’ll also learn how threat actors abuse 7ZIP features to evade detection in file-based cyberattacks, and how Cloudmersive’s Advanced Virus Scan API can help defend against these threats.

How 7ZIP Archives Are Structured

The 7z container that 7ZIP is based on was designed to provide more efficient compression and greater flexibility than older, widespread archive formats like ZIP.

The Basics

All 7ZIP archives contain a header, one or more compressed file “blocks”, encryption metadata (optional), and a footer, and they support a variety of compression algorithms – most notably LZMA and LZMA2 – which offer significantly better compression ratios than those used in ZIP files.

Advantages and Disadvantages

7ZIP largely sets itself apart in its ability to compress extremely large data sets – anything up to 16 exabytes (in theory) – and in its capacity to support extremely large file sizes (far beyond what ZIP or even RAR can comfortably handle). It also offers customizable compression settings, “solid” compression (treating multiple files as one block), and the option to encrypt both file contents and metadata. Unlike ZIP, however, 7ZIP lacks widespread native support across platforms; it usually requires dedicated software like 7-Zip, PeaZip, or WinRAR (with 7z support) to open.

Security Implications

From a security standpoint, limited support for 7ZIP means a reduced attack surface – especially compared to ZIP. However, 7ZIPs compression advantages also provide fertile ground for attackers to hide malicious content from traditional antivirus (AV) software and other file inspection tools.

Why 7ZIP Files Are Attractive to Attackers

It’s always challenging for security tools to look inside compressed archive formats – and that’s especially true of 7ZIP, given its ability to encrypt both file contents, file names and archive metadata. Traditional AV software won’t be able to tell what’s inside a 7ZIP without full decryption – which may not even be possible if password-protection policies are applied to the archive.

On top of that, excellent compression and large/high volume file support mean attackers can nest hundreds – or even thousands – of files within a single archive. This staggering level of nesting makes static analysis of 7ZIP archives extremely difficult, especially considering the fact that attackers typically obfuscate malicious files with fake extensions or names.

Common Attack Techniques Using 7ZIP Files

Below, we’ll take a closer look at several common ways attackers exploit 7ZIP files in file-based attacks.

Sharing Encrypted Payloads

Password-protected 7ZIP files are commonly used to deliver malware via phishing emails and drive-by downloads. In such cases, 7ZIP’s powerful encryption makes it possible for compressed malicious files to bypass weakly configured security policies when scanned in transit or upload.

Once malicious 7ZIPs are delivered to a victim’s environment, attackers typically rely on social engineering tactics to complete the infection chain. An attacker might provide the archive’s password to the victim within the phishing message itself, disguised as part of some business process that’s recognizable to the victim in question – like accessing an invoice, shipping label, or HR document.

Confusing AV Software with Multi-Stage Archives

7ZIP files allow for multi-stage attacks. For example, an attacker might pack a dropper script, and obfuscated executable, and a secondary payload into a single archive. Packaging malicious content this way makes it easier for attackers to deploy complex threats which unfold in a specific sequence once the archive is opened. It can be challenging for network edge security policies to identify malicious programs when their “behavior” is divided into a series of separate parts.

Nested Archives and Archive “Bombs”

Solid compression, deep nesting, and large file support in 7ZIP allow attackers to create archive “bombs” – sometimes referred to as “ZIP bombs” (even when the ZIP file type isn’t involved) – which expand to enormous sizes once decompressed in the victim’s environment. These overloaded archives are designed to crash systems or exhaust memory in automated file handling environments, often resulting in Denial-of-Service or Remote Code Execution attacks.

Bypassing Upload Filters

Attackers can use 7ZIP archives to bypass simple MIME-type or file extension checks in wep app upload workflows. Depending on the web app security configuration, attackers can sometimes simply compress malicious files (e.g., EXE or JS) in a 7ZIP and rename the archive with a phony extension. Once the archive is uploaded and extracted in the target environment, the malicious file(s) within can execute on the backend or trick a user into launching it.

Spotlight: CVE-2025-0411 – Mark-of-the-Web Bypass in 7-Zip

CVE-2025-0411 is a recently discovered vulnerability which exposes a critical flaw in 7-Zip’s handling of internet-sourced archive files. Specifically, it allows attackers to bypass Windows’ Mark-of-the-Web (MotW) protections—a security feature meant to flag and restrict potentially dangerous files downloaded from the web. The actual vulnerability lies in how 7-Zip extracts files: it fails to carry over the MotW marker from the archive to its contents, even when the archive clearly originated online.

Attackers can exploit this behavior by crafting malicious 7Z files and distributing them via phishing email campaigns or compromised website downloads. When a victim extracts the archive with 7-Zip software, the resulting files appear trusted to the operating system, bypassing browser warnings and running without the usual restrictions.

This design flaw makes 7-Zip a particularly attractive tool for delivering hidden payloads. It reinforces the importance of scanning archive contents, not just their wrappers.

Preventing 7ZIP-Based Threats with Cloudmersive

Cloudmersive’s Advanced Virus Scan API offers protections against archive-based threats, including those delivered via 7ZIP.

It inspects all compressed 7ZIP contents – including nested directories and embedded files – to detect both known malware signatures and risky content like executables, password protected files, macro-enabled files, scripts, and more. In-depth analysis ensures threats are flagged and blocked early in the upload processing workflow, including malware obfuscated in extremely complex archive structures.

Integrating the Advanced Virus Scan API with web applications directly, at the network edge, or in defense of cloud storage instances allows enterprises to intercept dangerous files before they’re extracted, opened, or propagated downstream in sensitive system locations.

Conclusion

7ZIP files might appear to be simple compressed folders, but they’re much more. They’re complex containers offering a high degree of flexibility, encryption, and compression. 7ZIP’s advantages make it an extremely useful compressed archive format in legitimate scenarios, and a compelling tool for attackers attempting to slip malware past our perimeter security policies.

To speak with an expert about defending your system with Cloudmersive’s Advanced Virus Scan API, please contact a member of our team.