{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cab/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["motw","bypass","phishing","defense-evasion","archive","7-zip","cab","tar"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious payload.\u003c/li\u003e\n\u003cli\u003eAttacker packages the payload into a TAR archive.\u003c/li\u003e\n\u003cli\u003eThe TAR archive is nested inside another TAR archive.\u003c/li\u003e\n\u003cli\u003eThe nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.\u003c/li\u003e\n\u003cli\u003eThe 7-Zip archive is packaged into a CAB archive using makecab.exe.\u003c/li\u003e\n\u003cli\u003eThe CAB archive is distributed to the victim, potentially via phishing or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detections for unusual process chains involving \u003ccode\u003emakecab.exe\u003c/code\u003e, \u003ccode\u003e7z.exe\u003c/code\u003e, and \u003ccode\u003etar.exe\u003c/code\u003e as these tools are used in the bypass (see Sigma rule \u0026ldquo;Detect Suspicious Archive Chaining\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule \u0026ldquo;Detect Archive Extraction from Downloaded CAB\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAnalyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.\u003c/li\u003e\n\u003cli\u003eBlock the URL \u003ccode\u003ehttps://youtu.be/pQxiPwGTBL8\u003c/code\u003e to prevent users from accessing potentially malicious content related to this bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T17:31:15Z","date_published":"2026-03-19T17:31:15Z","id":"/briefs/2026-03-motw-bypass/","summary":"A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.","title":"MOTW Bypass via CAB, TAR, and 7-Zip Chaining","url":"https://feed.craftedsignal.io/briefs/2026-03-motw-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cab","version":"https://jsonfeed.org/version/1.1"}