Russian Hackers Exploit 7-Zip Flaw for Malware Attacks
Title: Critical Security Flaw in 7-Zip Tool Exploited to Distribute SmokeLoader Malware
A recently discovered security vulnerability in the widely used 7-Zip archiver tool has been exploited to deliver the notorious SmokeLoader malware. This flaw, identified as CVE-2025-0411 with a CVSS score of 7.0, allows attackers to bypass mark-of-the-web (MotW) protections, enabling them to execute arbitrary code within the context of the current user. 7-Zip addressed this vulnerability in November 2024 with the release of version 24.09.
Understanding the CVE-2025-0411 Vulnerability
The CVE-2025-0411 vulnerability has been actively exploited by Russian cybercriminal groups through sophisticated spear-phishing campaigns. According to Trend Micro security researcher Peter Girnus, attackers employed homoglyph techniques to spoof document extensions, tricking both users and the Windows Operating System into executing malicious files.
This vulnerability appears to be part of a broader cyber espionage strategy targeting governmental and non-governmental organizations in Ukraine amid the ongoing Russo-Ukrainian conflict.
How the Vulnerability Works
The MotW feature, implemented by Microsoft in Windows, is designed to prevent the automatic execution of files downloaded from the internet without further checks through Microsoft Defender SmartScreen. However, CVE-2025-0411 circumvents this protection by allowing attackers to create double-archived files using 7-Zip. This process hides malicious payloads within an outer archive, which does not receive MotW protections.
Girnus explained, "The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MotW protections to the content of double-encapsulated archives." Consequently, threat actors can craft archives containing harmful scripts or executables that leave Windows users vulnerable.
Recent Attack Patterns
The first instances of attacks leveraging this vulnerability were identified on September 25, 2024. These attacks typically begin with a phishing email containing a specially crafted archive file. Attackers use a homoglyph attack to disguise an inner ZIP archive as a Microsoft Word document, effectively triggering the vulnerability.
Trend Micro reports that these phishing messages originated from email addresses associated with Ukrainian government bodies and business accounts, targeting municipal organizations and enterprises, suggesting prior compromises were made.
Girnus noted, "The use of these compromised email accounts lends an air of authenticity to the emails, manipulating potential victims into trusting the content and their senders." This strategy leads to the execution of a .URL file that directs victims to download another ZIP file from an attacker-controlled server, which contains the SmokeLoader executable disguised as a PDF document.
At least nine Ukrainian government entities, including the Ministry of Justice and the Kyiv Public Transportation Service, have been assessed as impacted by this campaign.
Protecting Against Exploitation
In light of the active exploitation of CVE-2025-0411, users are strongly advised to take the following precautions:
- Update to the latest version of 7-Zip (version 24.09 or later).
- Implement robust email filtering to block phishing attempts.
- Disable the execution of files from untrusted sources.
Girnus highlighted a concerning trend, stating, "Smaller local government bodies, often overlooked and under-resourced, are frequently targeted by threat actors. These organizations can serve as valuable pivot points for attacks on larger governmental entities."
For more information on cybersecurity and best practices, check out our articles on email security and protecting against phishing attacks.
Join the Conversation
Found this article insightful? Share your thoughts in the comments below! For more exclusive content, follow us on Twitter and LinkedIn.