CrowdStrike's Falcon OverWatch team has identified a sophisticated method used by adversaries to exploit self-extracting (SFX) archive files to bypass security measures and establish persistent backdoors. These SFX archives, which are typically used for legitimate file sharing, can be engineered with hidden malicious functionality, often undetected by traditional antivirus software. By abusing WinRAR's advanced setup options, adversaries can configure these archives to run commands such as PowerShell or cmd.exe with elevated privileges, effectively creating a backdoor accessible from the Windows logon screen. This technique underscores the need for proactive threat hunting and detailed examination of SFX archives to identify potential security threats, as these methods are likely to remain effective due to their low detection rates and the ability to execute commands without containing overt malware.