Blog Post

The Human Connection Blog
2 MIN READ

New CTI Lab: CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive

BenMcCarthy's avatar
BenMcCarthy
Icon for Immerser rankImmerser
16 days ago

Today, we’ve released a brand-new lab focusing on attack chain analysis of SmokeLoader and the associated 7zip vulnerability dubbed CVE-2025-0411.

The Zero Day Initiative (ZDI) team at Trend Micro identified the exploitation of a zero-day vulnerability in the 7-ZIP application dubbed CVE-2025-0411, which was used in a SmokeLoader malware campaign targeting eastern European entities. 7zip is used all over the world by individuals and organizations, so it's essential users understand this campaign.

CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive

CVE-2025-0411 is a Mark-of-the-Web (MoTW) bypass vulnerability that exists within 7 ZIP installations with a version older than 24.09. This vulnerability allows attackers to bypass the MoTW protection mechanism employed by the Windows operating system, designed to warn users after downloading potentially malicious software.

Bypassing MoTW for attackers increases the chances of successful phishing attempts, which is one of the largest ways attackers get into organizations. Due to MoTW being bypassed, users are not warned of potential malicious intent if they were to execute files. Because of this, attackers spend a lot of time trying to find different MoTW vulnerabilities and are often patched in Microsoft's patch Tuesdays due to their prevalence.

Why should you care?

Bypassing security controls is ideal for attackers. If their downloaded files do not get warned against by Windows, then the chances of successful attack chain execution is much higher! Therefore, we created a lab to identify what this attack process looks like for defensive teams and how to identify each stage.

The lab teaches you what to look out for when this vulnerability is exploited and how campaigns have used it in the real world.

Who is it for?

  • Incident responders
  • SOC analyst
  • Malware reverse engineers
  • CTI Analysts
  • Threat Hunters

Here is the link to the 7zip lab: https://immersivelabs.com/labs/cve-2025-0411-7-zip-motw-bypass-defensive


Related Labs, designed to give you similar skills:
https://immersivelabs.online/series/elasticsearch-threat-hunting-apt29/labs
https://immersivelabs.online/series/introduction-to-elastic/labs

Updated 16 days ago
Version 1.0
content updates
cyber threat intelligence
BenMcCarthy's avatar
Icon for Immerser rankImmerser
Joined May 30, 2024
View Profile
Node avatar for The Human Connection Blog
The Human Connection Blog
Learn from our passionate experts on a wide range of subjects from Cyber Threat Research to maximizing value with Immersive Labs, plus, hear from our outstanding customers who are keen to share their experiences.
No CommentsBe the first to comment