A zero-day vulnerability in the popular open-source file archiver tool 7-Zip has been actively exploited by Russia-linked threat actors in a targeted malware campaign against Ukrainian entities.
The flaw, tracked as CVE-2025-0411, allows malicious actors to bypass the Windows Mark-of-the-Web (MotW) security feature, which is designed to prevent the automatic execution of files downloaded from the internet.
The exploit was uncovered by the Trend Micro Zero Day Initiative (ZDI) Threat Hunting team on September 25, 2024. The vulnerability, which had been actively exploited in the wild, is believed to be part of a broader cyberespionage operation targeting Ukrainian government bodies and civilian organizations amidst the ongoing Russo-Ukrainian conflict.
By using a technique called double archiving, attackers can package a malicious payload within two layers of archives, preventing Windows from recognizing the files as originating from an untrusted source. As a result, the operating system fails to conduct proper security checks.
The attack begins with a spear-phishing email containing a specially-crafted archive file, which uses homoglyph attacks to trick users into thinking the file is safe. Specifically, the attackers exploit visual similarities between file extensions to disguise malicious files as legitimate document types.
Once the victim opens the archive, they are presented with an internet shortcut file (.URL) that leads to an attacker-controlled server hosting another archive. The new archive contains the SmokeLoader malware disguised as a PDF document. Once executed, the SmokeLoader payload can open a backdoor on the victim’s system, allowing the attacker to further infiltrate networks, steal sensitive data, or engage in espionage.
At least nine Ukrainian organizations have been targeted in this ongoing campaign. Among the affected entities are several government institutions, including the Ministry of Justice, the Kyiv Public Transportation Service, the Kyiv Water Supply Company, and the City Council.
The 7-Zip development team released a patch on November 30, 2024, as part of 7-Zip version 24.09, which fully mitigates the CVE-2025-0411 vulnerability by ensuring that MotW protections are properly applied to files within double-archived containers.
Security experts advise all users to update to the latest version of 7-Zip to protect against potential exploitation. In addition, organizations are urged to implement phishing defenses, educate employees on identifying suspicious email attachments, and regularly update security protocols to mitigate the impact of future cyberattacks.