Attackers used a nested archive technique (an archive inside another archive). While the outer file (like 3sg.7z ) would be flagged by Windows as downloaded from the internet, the inner archive would not inherit this "Mark of the Web" tag.
Opening it reveals an inner archive (sometimes disguised with Cyrillic characters to look like a document). 3sg.7z
This inner file triggers an automatic download of a final malware payload, bypassing MotW restrictions entirely. Attackers used a nested archive technique (an archive