A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware.
The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.
“The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files,” Trend Micro security researcher Peter Girnus said.
It’s suspected that CVE-2025-0411 was likely weaponized to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo-Ukrainian conflict.
MotW is a security feature implemented by Microsoft in Windows to prevent the automatic execution of files downloaded from the internet without performing further checks through Microsoft Defender SmartScreen.
CVE-2025-0411 bypasses MotW by double archiving contents using 7-Zip, i.e, creating an archive and then an archive of the archive to conceal the malicious payloads.
“The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MotW protections to the content of double-encapsulated archives,” Girnus explained. “This allows threat actors to craft archives containing malicious scripts or executables that will not receive MotW protections, leaving Windows users vulnerable to attacks.”
Attacks leveraging the flaw as a zero-day were first detected in the wild on September 25, 2024, with the infection sequences leading to SmokeLoader, a loader malware that has been repeatedly used to target Ukraine.
The starting point is a phishing email that contains a specially-crafted archive file that, in turn, employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability.
The phishing messages, per Trend Micro, were sent from email addresses associated with Ukrainian governing bodies and business accounts to both municipal organizations and businesses, suggesting prior compromise.
“The use of these compromised email accounts lend an air of authenticity to the emails sent to targets, manipulating potential victims into trusting the content and their senders,” Girnus pointed out.
This approach leads to the execution of an internet shortcut (.URL) file present within the ZIP archive, which points to an attacker-controlled server hosting another ZIP file. The newly downloaded ZIP contains the SmokeLoader executable that’s disguised as a PDF document.
At least nine Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council.
In light of the active exploitation of CVE-2025-0411, users are recommended to update their installations to the latest version, implement email filtering features to block phishing attempts, and disable the execution of files from untrusted sources.
“One interesting takeaway we noticed in the organizations targeted and affected in this campaign is smaller local government bodies,” Girnus said.
“These organizations are often under intense cyber pressure yet are often overlooked, less cyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations have. These smaller organizations can be valuable pivot points by threat actors to pivot to larger government organizations.”
