A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, known as CVE-2025-0411 with a CVSS score of 7.0, was identified as allowing remote attackers to bypass mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. This vulnerability was addressed by 7-Zip in November 2024 with version 24.09.
According to Trend Micro security researcher Peter Girnus, the vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns. These attackers used homoglyph attacks to spoof document extensions and deceive users and the Windows Operating System into executing malicious files. The exploitation of CVE-2025-0411 was suspected to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign amidst the ongoing conflict between Russia and Ukraine.
MotW is a security feature in Windows designed to prevent the automatic execution of files downloaded from the internet without further checks via Microsoft Defender SmartScreen. However, CVE-2025-0411 bypassed MotW by double archiving contents using 7-Zip, concealing malicious payloads within multiple layers of archives.
The root cause of this vulnerability, as explained by Girnus, was the failure of 7-Zip prior to version 24.09 to propagate MotW protections to the content of double-encapsulated archives. This allowed threat actors to create archives containing malicious scripts or executables that did not receive MotW protections, thereby leaving Windows users vulnerable to attacks.
The attacks exploiting this flaw as a zero-day were initially detected in September 2024, with the infection chains leading to the deployment of SmokeLoader, a loader malware frequently used in targeting Ukraine. The attack begins with a phishing email containing a specially-crafted archive file that utilizes a homoglyph attack to disguise the inner ZIP archive as a Microsoft Word document, triggering the vulnerability upon opening.
These phishing emails were sent from compromised email accounts associated with Ukrainian governing bodies to municipal organizations and businesses, creating an air of authenticity to manipulate potential victims. The execution of an internet shortcut (.URL) file within the ZIP archive results in downloading an attacker-controlled ZIP file containing the SmokeLoader executable, disguised as a PDF document.
The impact of this campaign affected at least nine Ukrainian government entities and organizations, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council. To mitigate the risk of exploitation, users are advised to update 7-Zip to the latest version, implement email filtering to block phishing attempts, and disable the execution of files from untrusted sources.
One notable observation from this campaign is the targeting of smaller local government bodies, which are often overlooked for their lack of cyber resources and expertise compared to larger organizations. These smaller entities can serve as valuable pivot points for threat actors to leverage in targeting larger government organizations.
In conclusion, the exploitation of the 7-Zip vulnerability to deliver the SmokeLoader malware underscores the importance of proactive cybersecurity measures and staying vigilant against evolving threats. Follow us on Twitter and LinkedIn for more exclusive content on cybersecurity.