Russian SmokeLoader Campaign in Ukraine Exploits 7-Zip Zero-Day Vulnerability

A severe security vulnerability in the widely utilized Windows archiving tool, 7-Zip, has reportedly been leveraged by Russian cyber adversaries to launch attacks targeting several Ukrainian institutions. This zero-day exploit appears to facilitate the bypassing of a critical security measure known as the Mark-of-the-Web (MOTW), which is designed to provide file safety warnings for potentially harmful content downloaded from the internet.

Trend Micro’s cybersecurity researchers identified the MOTW bypass vulnerability, categorized as CVE-2025-0411, during their investigation of ongoing attacks in September 2024. They reported that the vulnerability allows remote attackers to sidestep the security mechanisms in vulnerable versions of 7-Zip, requiring users to interact with a malicious file or link to trigger the exploit.

According to Peter Girnus, a senior threat researcher at Trend Micro, Russian threat actors have actively utilized this exploit against governmental and private sector entities in Ukraine, likely for purposes of cyberespionage. The researchers conveyed the details of the vulnerability to 7-Zip’s developer, Igor Pavlov, who introduced a patch in version 24.09 of the software released on November 30, 2024.

MOTW serves as an essential security layer within Windows, alerting users to files originating from the internet and prompting them to take caution before opening potentially malicious files. The effectiveness of this mechanism is reflected in its ability to impede phishing attacks by providing users an opportunity to reject unsafe executions. Furthermore, it integrates with Microsoft Defender SmartScreen, allowing further security assessments before any file executes.

The ongoing campaign against Ukraine, initiated by Russian hackers, involved the deployment of SmokeLoader malware aimed at compromising various Ukrainian organizations, including the Zaporizhzhia Automobile Building Plant, a significant manufacturer in the region. Additional targets reportedly encompassed critical infrastructure entities such as Ukraine’s Ministry of Justice and other public service organizations.

The attackers employed sophisticated tactics, including the use of homoglyph attacks, where deceptive characters replace legitimate ones to trick users into clicking on malicious links. In one case reported by Trend Micro, a ZIP archive masqueraded as a Microsoft Word document through clever character substitution, effectively triggering the CVE-2025-0411 exploit without raising user suspicion.

As Russian threat actors continue to utilize SmokeLoader, a notorious malware variant known for applying ambiguity and self-preservation techniques, the attacks have been linked to broader efforts by various state-sponsored groups in targeting Ukrainian infrastructure, particularly those focused on financial theft. Despite previous notifications of vulnerabilities, including CVE-2024-11477, the landscape of cyber threats remains dynamic, with ongoing examinations of potential vectors exploited in these recent campaigns.

The implications of this attack highlight the persistent nature of nation-state cyber threats, particularly in regions of geopolitical conflict. By applying tactics listed in the MITRE ATT&CK framework, including initial access and exploitation of remote services, as well as the persistence through backdoors, business owners should remain vigilant in their cybersecurity preparations against such emergent vulnerabilities and strategies employed by adversaries.