Mark of the Web (MoTW) Bypass Vulnerability
Overview
Mark of the Web (MoTW) is a Windows feature that identifies files downloaded from the Internet and displays a security warning, as well as restricts the files to be executed with a warning message or in a protected mode. However, threat actors have been bypassing Mark of the Web (MoTW) in various ways, utilizing these methods during their initial access or malware distribution. This post will cover the basic concepts and components of Mark of the Web (MoTW), as well as its main vulnerabilities and exploitation cases.
What Is Mark Of The Web?
Mark of the Web (MoTW) is a security feature of the Microsoft Windows operating system that adds an NTFS Alternate Data Stream (ADS) called “Zone.Identifier” to files downloaded from the Internet, indicating the file’s source. This feature displays a security warning or restricts the file from being executed when a user tries to run a file downloaded from the Internet.
Files with Mark of the Web (MoTW) have the following characteristics:
-
Microsoft Office document: Opened in Protected View mode
- Executable file (.exe, .dll): Windows SmartScreen warning
- Script file (.js, .vbs, .ps1): Warning or block message when executed
For example, when a user tries to open an executable file (.exe), a script file (.ps1), or an Office document (.docx, .xlsx) downloaded from the Internet, the following security warning message appears.
Figure 1. An Office document with Mark of the Web (MotW) applied
Figure 2. An executable file with Mark of the Web (MotW) applied
The Zone.Identifier alternate data stream (ADS) is created in the file path in the form of “FileName:Zone.Identifier:$DATA” and contains information about the file’s source. The ZoneTransfer section that contains information related to the file’s source is formatted as follows:
| Description of the Zone.Identifier Structure | |
|---|---|
|
[ZoneTransfer] ZoneId= ReferrerUrl= HostUrl= |
Marked as Zone.Identifier section Information on the security zone of the file Web page where the file is downloaded URL where the file was actually downloaded |
Windows categorizes the security zone information (ZoneId) of files as follows.
|
ZoneId |
Description |
|---|---|
| 1 |
Local computer zone |
| 2 |
Local intranet zone |
| 3 |
Trusted site zone |
| 4 |
Internet zone (MOTW applied by default) |
| 5 |
Restricted site zone |
The Zone.Identifier for a specific file can be checked as follows:
|
Check Using CmdLine |
|---|
|
 Figure 3. Checking Zone.Identifier using CmdLine |
|
Check Using PowerShell |
|---|
|
 Figure 4. Checking Zone.Identifier using PowerShell |
Mark of the Web (MoTW) Bypass Vulnerabilities and Exploits
Recently, various Mark of the Web (MoTW) bypass vulnerabilities have been discovered, and threat actors are exploiting them to distribute malware or for initial access.
1. 7-Zip Mark of the Web (MoTW) Bypass Vulnerability (CVE-2025-0411)
Normally, files inside a compressed file maintain the Mark of the Web (MoTW) property. However, a vulnerability (CVE-2025-0411) has been discovered in 7-Zip versions before 24.09 where the Mark of the Web (MoTW) flag for double-compressed files is not properly propagated. This vulnerability can be exploited to execute files inside double-compressed files without triggering a security warning. This vulnerability was exploited in a zero-day attack targeting the government and private organizations in Ukraine by Russian threat actors since September 2024. The threat actors exploited this vulnerability to distribute malware like SmokeLoader.
2. LNK Stomping (CVE-2024-38217)
Windows shortcut (.lnk) files are shortcut files that point to executable files. When a user clicks on a shortcut file, the program it points to is executed. By default, MOTW is applied to these files. However, when a shortcut file points to an executable that ends with additional characters (e.g., a period), such as powershell.exe., Windows automatically removes the additional characters from the path and saves the modified shortcut file to the disk. In this process, MOTW is removed. As a result, SmartScreen and Smart App Control do not detect the file as malicious, allowing the malware to execute without any warnings. Elastic Security researcher Joe Desimone published a blog post in August 2024 about this vulnerability, which has been exploited by threat actors for years.
3. Copy2Pwn (CVE-2024-38213)
WebDAV is a protocol that extends HTTP and supports file sharing and version management. When files are copied from a WebDAV shared folder, the Windows Explorer processes it without applying the Mark of the Web (MOTW) property. This vulnerability was exploited in actual attacks such as the DarkGate campaign. Threat actors used WebDAV shares to distribute malicious files and install malware like LummaStealer on users’ systems to steal sensitive data.
Conclusion
The Mark of the Web (MoTW) bypass vulnerability increases security risks by allowing malicious files to be executed on user systems without warnings. Exploiting this vulnerability can cause serious damage to users. To prevent this, users must apply the latest security updates and avoid opening suspicious files. It is also necessary to use security software to check the source of files based on the MOTW property and detect malicious files.
Resources
- MITRE ATT&CK – Mark of the Web
- https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
- https://www.elastic.co/security-labs/dismantling-smart-app-control
- https://veriti.ai/blog/veriti-research/cve-2024-38213
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
