Trend Micro researchers recently discovered that a known vulnerability in the popular open-source archiver tool 7-Zip, identified as CVE-2025-0411, has been exploited in zero-day attacks to deliver malware to Ukrainian entities. This vulnerability, which was patched in November 2024, allows threat actors to bypass Windows Mark-of-the-Web (MoTW) protections by double archiving contents using 7-Zip.
Peter Girnus, a researcher with Trend Micro Zero Day Initiative, explained that prior to version 24.09, 7-Zip did not properly propagate MoTW protections to the content of double-encapsulated archives. This loophole enables threat actors to craft archives containing malicious scripts or executables that will not receive MoTW protections, leaving Windows users vulnerable to attacks.
In a recent zero-day attack campaign, threat actors leveraged CVE-2025-0411 to execute arbitrary code in the context of the current user. The attackers targeted employees in Ukrainian municipal organizations and businesses by sending emails with malicious attachments from compromised accounts belonging to Ukrainian governing bodies. By using deceptive tactics, such as employing Cyrillic characters to mimic legitimate files, the attackers were able to trick users into triggering the exploit for CVE-2025-0411, leading to the execution of malicious files.
Trend Micro believes that the campaign was orchestrated by Russian cybercrime groups, with cyberespionage being the likely purpose of the attacks amidst the Russo-Ukrainian conflict.
To mitigate the risks associated with this vulnerability, organizations are advised to update their 7-Zip software to the latest version (24.09), as the tool does not have an auto-update feature. Additionally, employees should be educated on MoTW and phishing awareness, email security measures should be implemented to detect and block spear-phishing attacks, and systems should be configured to prompt users for verification before opening files from untrusted sources. Domain and URL filtering to detect and block homoglyph-based phishing attacks is also recommended by Trend Micro.
Overall, staying updated on software patches, conducting regular security training for employees, and implementing robust email security measures are crucial steps for organizations to protect themselves against such zero-day attacks exploiting known vulnerabilities like CVE-2025-0411 in 7-Zip.