A recently patched security vulnerability in the popular 7-Zip archiver tool has been actively exploited by Russian cybercriminals to deploy the SmokeLoader malware, bypassing Windows' Mark-of-the-Web (MotW) protections.
Understanding the 7-Zip Vulnerability (CVE-2025-0411)
The flaw, identified as CVE-2025-0411 (CVSS Score: 7.0), enables remote attackers to circumvent Windows security mechanisms and execute malicious code with the current user's privileges. 7-Zip addressed this vulnerability in version 24.09, released in November 2024.
According to Trend Micro security researcher Peter Girnus, Russian cybercrime groups leveraged this flaw in targeted spear-phishing attacks. By employing homoglyph techniques, attackers spoofed file extensions to deceive users and the Windows operating system into executing harmful payloads.
CVE-2025-0411 Exploited for Cyber Espionage in Ukraine
Threat actors have reportedly used CVE-2025-0411 in cyber espionage campaigns against governmental and non-governmental organizations in Ukraine amid the ongoing Russo-Ukrainian conflict.
MotW is a crucial Microsoft Windows security feature that prevents automatic execution of files downloaded from untrusted sources. It works by adding a Zone.Identifier tag (ZoneId=3) via NTFS alternate data streams (ADS) to flag files requiring additional scrutiny from Microsoft Defender SmartScreen.
However, attackers found a way to bypass MotW protections using a double-archiving technique with 7-Zip. By embedding one archive within another, they effectively concealed their malicious payloads from Windows security mechanisms.
“The root cause of CVE-2025-0411 is that, prior to version 24.09, 7-Zip failed to propagate MotW protections to nested archives. This allowed attackers to craft archive files containing malicious scripts or executables that evaded Windows security,” explained Girnus.
How the Exploitation Works
First detected in the wild on September 25, 2024, this zero-day attack primarily led to the deployment of SmokeLoader, a persistent malware loader frequently used in attacks targeting Ukraine.
Attack Chain Overview:
Phishing Email – The attack begins with a phishing email containing a specially crafted archive file.
Homoglyph Attack – The inner ZIP archive is disguised as a Microsoft Word document to trick users.
Execution of Malicious Files – When opened, a .URL (internet shortcut) file inside the ZIP directs the user to an attacker-controlled server.
Payload Delivery – The server delivers a second-stage ZIP file containing the SmokeLoader malware, masquerading as a PDF document.
Trend Micro’s investigation revealed that these phishing emails were sent from compromised email accounts belonging to Ukrainian governmental bodies and businesses, increasing their credibility and effectiveness.
“Using compromised accounts gives attackers an added layer of deception, making their phishing attempts more convincing to unsuspecting victims,” Girnus noted.
Affected Organizations and Recommended Mitigations
At least nine Ukrainian government agencies and organizations have been affected by this attack campaign, including:
Ministry of Justice
Kyiv Public Transportation Service
Kyiv Water Supply Company
City Council
Security Recommendations:
Update 7-Zip to version 24.09 or later.
Enable email filtering to block phishing attempts.
Restrict execution of files from untrusted sources.
Implement strict endpoint security policies to detect anomalous behavior.
New Developments: UAC-0006 Behind ‘GetSmoked’ Phishing Campaign
Further investigations have linked the financially motivated threat actor UAC-0006 to a payment-themed phishing campaign, GetSmoked, targeting PrivatBank, Ukraine’s largest financial institution. The campaign aimed to distribute SmokeLoader malware through malicious ZIP attachments.
Between October 2024 and January 2025, UAC-0006 used:
JavaScript & LNK files in ZIP attachments to launch PowerShell scripts.
Fake PDF lure documents to deceive users while stealthily downloading SmokeLoader.
CloudSEK researcher Koushik Pal notes that UAC-0006 shares tactics, techniques, and procedures (TTPs) with FIN7, a Russian advanced persistent threat (APT) group, suggesting potential ties to state-backed cyber operations.
As cyber threats evolve, organizations must remain vigilant, prioritize security updates, and strengthen phishing defenses to mitigate sophisticated cyber attacks. Stay updated, stay protected.