Wednesday, April 16, 2025
HomeCVE/vulnerabilityHackers Exploiting 7-Zip Zero-Day Vulnerability to Deploy SmokeLoader Malware

Hackers Exploiting 7-Zip Zero-Day Vulnerability to Deploy SmokeLoader Malware

Published on

SIEM as a Service

Follow Us on Google News

A newly identified zero-day vulnerability in the widely used 7-Zip archiving software, designated as CVE-2025-0411.

This critical flaw, which was exploited in the wild, is enabling threat actors to bypass vital Windows security protections and deploy SmokeLoader malware.

The campaign has predominantly targeted Ukrainian organizations, with experts suspecting links to Russian cybercrime groups amid the ongoing Russo-Ukrainian conflict.

- Advertisement - Google News

The CVE-2025-0411 Vulnerability

The vulnerability, discovered by Trend Micro’s Zero Day Initiative (ZDI), enables attackers to circumvent Microsoft’s “Mark-of-the-Web” (MoTW) security feature by double-archiving files.

The Properties view of a file containing a MoTW
The Properties view of a file containing a MoTW

MoTW typically flags files downloaded from untrusted sources, like the internet, preventing their automatic execution.

However, this flaw in the 7-Zip software, before version 24.09, fails to propagate MoTW protections to double-encapsulated archives.

This loophole allows malicious scripts or executables hidden within such archives to bypass security checks, leaving systems vulnerable.

 PoC demo of CVE-2025-0411 with encapsulated ZIP archive
 PoC demo of CVE-2025-0411 with encapsulated ZIP archive

A patch addressing the issue was released on November 30, 2024, with the 7-Zip 24.09 update, but the vulnerability has already seen active exploitation in malware campaigns.

SmokeLoader Malware Campaign

Threat actors exploited CVE-2025-0411 to deliver the SmokeLoader malware, a notorious piece of malware used to steal credentials, enable persistent access, and deploy other malicious payloads.

Ukrainian organizations, particularly government agencies, local councils, and businesses, have been the primary targets of these attacks.

The perpetrators appear to rely on spear-phishing emails containing malicious 7-Zip attachments.

 Sample phishing email coming from a compromised Ukrainian government email account
 Sample phishing email coming from a compromised Ukrainian government email account

Attack Tactics

  • Spear-Phishing Campaigns: Attackers used homoglyph techniques to craft deceptive archive names. For instance, they replaced Latin characters with visually similar Cyrillic ones to trick victims into opening files that appeared to be legitimate documents, such as Microsoft Word files.
    Example: A file named “Спiсок.doс” (“List.doc”) used Cyrillic characters to spoof a “.doc” file, masking the presence of malicious code.
  • File Execution: Victims who opened the deceptive inner archive unwittingly triggered SmokeLoader malware, enabling system compromise.
  • Multi-Layered Deception: Inner files often included disguised executables or links to attacker-controlled servers hosting additional malicious files.

This campaign aligns with ongoing cyber tensions between Russia and Ukraine. Ukrainian organizations targeted include the State Executive Service, Kyiv Public Transportation Service, and Zaporizhzhia Automobile Building Plant.

Experts suggest the attacks may aim to gather intelligence or disrupt critical infrastructure in Ukraine amidst the continued conflict.

Smaller, under-resourced organizations have been particularly vulnerable, acting as potential entry points for broader cyber espionage activities.

Organizations are urged to take immediate action to protect themselves from potential exploitation of CVE-2025-0411. Here are key steps recommended by cybersecurity experts:

  1. Update 7-Zip: Ensure your systems run version 24.09 or later to patch the MoTW bypass vulnerability.
  2. Enhance Security Training: Educate employees about phishing and homoglyph attacks, encouraging caution when handling email attachments or unknown files.
  3. Implement Email Security Tools: Use advanced filtering mechanisms to detect and block suspicious emails.
  4. Isolate High-Risk Environments: Restrict access to sensitive systems and data, minimizing exposure in case of a breach.
  5. Proactively Monitor Networks: Detect unusual activity or file executions that may indicate a compromised system.

Cybersecurity experts continue to analyze the full scope of this campaign. Questions remain about whether similar vulnerabilities exist in other software and how attackers may refine their strategies in the future.

Given the recurrence of homoglyph attacks and advanced phishing techniques, the global cybersecurity community must stay vigilant to these evolving threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Firefox Fixes High-Severity Vulnerability Causing Memory Corruption via Race Condition

Mozilla has released Firefox 137.0.2, addressing a high-severity security flaw that could potentially allow...

Tails 6.14.2 Released with Critical Fixes for Linux Kernel Vulnerabilities

The Tails Project has urgently released Tails 6.14.2, addressing critical security vulnerabilities in the Linux...

APT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a...

Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Firefox Fixes High-Severity Vulnerability Causing Memory Corruption via Race Condition

Mozilla has released Firefox 137.0.2, addressing a high-severity security flaw that could potentially allow...

Tails 6.14.2 Released with Critical Fixes for Linux Kernel Vulnerabilities

The Tails Project has urgently released Tails 6.14.2, addressing critical security vulnerabilities in the Linux...

APT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a...