A newly addressed security vulnerability in the popular 7-Zip archiving tool has been actively exploited to distribute the SmokeLoader malware, raising significant concerns in the cybersecurity community. This vulnerability, identified as CVE-2025-0411, has a CVSS score of 7.0 and enables remote attackers to bypass mark-of-the-web (MotW) protections and run arbitrary code within the context of the current user. The issue was patched by 7-Zip in November 2024 with the release of version 24.09.
The vulnerability has been notably leveraged by Russian cybercriminal groups executing sophisticated spear-phishing campaigns. Trend Micro security researcher Peter Girnus highlighted that attackers utilized homoglyph attacks to obscure malicious document extensions, tricking users and the Windows operating system into executing these harmful files.
CVE-2025-0411 appears to have been weaponized specifically to target governmental and non-governmental organizations in Ukraine, especially amid the ongoing Russo-Ukrainian conflict. The initial exploitation of this flaw as a zero-day was detected on September 25, 2024, marking a serious escalation in cyber threats directly affecting these entities.
The MotW feature in Windows is designed to prevent the automatic execution of files downloaded from the internet, requiring additional verification through Microsoft Defender SmartScreen. It operates by tagging files from untrusted sources using the “Zone.Identifier” tag, indicating they should undergo further scrutiny. However, attackers bypass these protections by using a technique that involves double archiving files with 7-Zip, effectively hiding malicious payloads within layers of compression.
Girnus elaborated that prior to version 24.09, 7-Zip did not adequately extend MotW protections to files within double-encapsulated archives, allowing adversaries to create archives containing harmful scripts or executables that evade these security measures. Consequently, Windows users are left at risk.
In the context of this attack, threat actors sent phishing emails purportedly from legitimate Ukrainian government accounts. These emails contained specially crafted archive files that masqueraded as Microsoft Word documents, initiating the exploit. The phishing scheme was designed to leverage trusted email addresses to increase the likelihood of success, manipulating victims into executing a .URL shortcut that pointed to an attacker-controlled server, ultimately downloading the SmokeLoader executable disguised as a PDF.
Ukrainian governmental bodies, including the Ministry of Justice and municipal organizations such as the Kyiv Public Transportation Service, have been identified as the primary targets of these campaigns. This suggests a broader pattern where smaller local government entities, often lacking sufficient cyber defenses, are exploited as entry points to larger organizations.
Given the ongoing exploitation of CVE-2025-0411, it is crucial for users to promptly update their software to the latest version, adopt strong email filtering processes to thwart phishing attempts, and disable the execution of files received from unknown sources. As the threat landscape evolves, organizations must remain vigilant and proactive in their cybersecurity strategies.
In a related development, the financially motivated threat actor group known as UAC-0006 has been linked to a payment-themed phishing campaign aimed at Ukraine’s PrivatBank, further emphasizing the persistent and evolving nature of these cyber threats.
Recent attacks have included ZIP attachments that trigger malicious scripts, such as JavaScript or Windows shortcuts, to execute hidden PowerShell commands. The overlap in tactics between UAC-0006 and known Russian APT groups suggests a coordinated and highly sophisticated assault aimed at destabilizing critical infrastructure within Ukraine.
