Cyber security news for all

More

    Russian Cybercrime Syndicates Exploit 7-Zip Vulnerability to Evade Windows MotW Safeguards

    A recently remediated security loophole in the 7-Zip compression utility has been weaponized in live attacks, facilitating the dissemination of the SmokeLoader malware.

    Cataloged as CVE-2025-0411 (CVSS rating: 7.0), the exploit enables remote adversaries to circumvent Mark-of-the-Web (MotW) defenses, permitting the execution of arbitrary code within the context of the logged-in user. The flaw was rectified in version 24.09 of 7-Zip, released in November 2024.

    According to Trend Micro security expert Peter Girnus, “The vulnerability has been actively leveraged by Russian cybercrime factions, utilizing sophisticated spear-phishing tactics, including homoglyph deception, to obscure file extensions and mislead both users and the Windows OS into launching nefarious payloads.”

    There is strong circumstantial evidence that CVE-2025-0411 has been deployed in cyber-espionage campaigns targeting Ukrainian governmental and non-governmental organizations, exploiting geopolitical tensions in the Russo-Ukrainian conflict.

    The Mechanics of the Exploit

    Microsoft’s MotW security feature acts as a protective measure against the automatic execution of files downloaded from the web, ensuring additional verification steps through Microsoft Defender SmartScreen.

    By employing a double-archiving technique, CVE-2025-0411 obfuscates malicious code within a nested compression structure, effectively bypassing MotW restrictions.

    “The crux of the issue,” Girnus elaborated, “is that pre-24.09 versions of 7-Zip failed to inherit MotW protections into the contents of doubly encapsulated archives. This oversight permitted malicious actors to package harmful executables within a layered archive, thus escaping Windows’ native security scrutiny.”

    Active Exploitation in the Wild

    The earliest recorded abuse of this vulnerability dates back to September 25, 2024, where attack chains culminated in the deployment of SmokeLoader, a modular malware loader frequently observed in Ukraine-focused cyber intrusions.

    The attack vector is initiated via a phishing email, delivering a booby-trapped archive that employs homoglyph subterfuge, disguising the inner ZIP file as a Microsoft Word document, thereby triggering the exploit.

    Trend Micro’s investigation reveals that the phishing emails originated from accounts affiliated with Ukrainian governmental institutions and business entities, suggesting an antecedent compromise.

    “The exploitation of previously infiltrated email accounts adds an air of credibility to these phishing lures, duping recipients into trusting the sender and engaging with the attached files,” Girnus noted.

    Upon execution, the payload initiates an Internet Shortcut (.URL) file embedded within the ZIP archive, leading victims to a malicious server hosting an additional ZIP file. This secondary archive contains SmokeLoader, camouflaged as a PDF document.

    Impacted Entities and Security Recommendations

    At least nine Ukrainian governmental bodies and associated organizations have been identified as victims of this operation, including:

    • Ministry of Justice of Ukraine
    • Kyiv Public Transportation Service
    • Kyiv Water Supply Company
    • Kyiv City Council

    Given the ongoing exploitation of CVE-2025-0411, users are strongly advised to:

    1. Upgrade to 7-Zip version 24.09 or later to eliminate the vulnerability.
    2. Enforce email filtering mechanisms to preemptively block phishing incursions.
    3. Disable the execution of files from untrusted origins to reduce exposure.

    “A notable observation in this attack campaign,” Girnus remarked, “is the strategic targeting of smaller local government units. These organizations frequently operate under significant cyber strain, yet they lack the robust security postures of larger state entities. This renders them ideal beachheads for adversaries seeking to pivot toward high-value government networks.”

    Recent Articles

    Related Stories