Hackers Exploiting 7-Zip Zero-Day Vulnerability to Deploy SmokeLoader Malware

A newly identified zero-day vulnerability in the widely used 7-Zip archiving software, designated as CVE-2025-0411.

This critical flaw, which was exploited in the wild, is enabling threat actors to bypass vital Windows security protections and deploy SmokeLoader malware.

The campaign has predominantly targeted Ukrainian organizations, with experts suspecting links to Russian cybercrime groups amid the ongoing Russo-Ukrainian conflict.

The CVE-2025-0411 Vulnerability

The vulnerability, discovered by Trend Micro’s Zero Day Initiative (ZDI), enables attackers to circumvent Microsoft’s “Mark-of-the-Web” (MoTW) security feature by double-archiving files.

MoTW typically flags files downloaded from untrusted sources, like the internet, preventing their automatic execution.

However, this flaw in the 7-Zip software, before version 24.09, fails to propagate MoTW protections to double-encapsulated archives.

This loophole allows malicious scripts or executables hidden within such archives to bypass security checks, leaving systems vulnerable.

A patch addressing the issue was released on November 30, 2024, with the 7-Zip 24.09 update, but the vulnerability has already seen active exploitation in malware campaigns.

SmokeLoader Malware Campaign

Threat actors exploited CVE-2025-0411 to deliver the SmokeLoader malware, a notorious piece of malware used to steal credentials, enable persistent access, and deploy other malicious payloads.

Ukrainian organizations, particularly government agencies, local councils, and businesses, have been the primary targets of these attacks.

The perpetrators appear to rely on spear-phishing emails containing malicious 7-Zip attachments.

Attack Tactics

• Spear-Phishing Campaigns: Attackers used homoglyph techniques to craft deceptive archive names. For instance, they replaced Latin characters with visually similar Cyrillic ones to trick victims into opening files that appeared to be legitimate documents, such as Microsoft Word files.
  Example: A file named “Спiсок.doс” (“List.doc”) used Cyrillic characters to spoof a “.doc” file, masking the presence of malicious code.
• File Execution: Victims who opened the deceptive inner archive unwittingly triggered SmokeLoader malware, enabling system compromise.
• Multi-Layered Deception: Inner files often included disguised executables or links to attacker-controlled servers hosting additional malicious files.

This campaign aligns with ongoing cyber tensions between Russia and Ukraine. Ukrainian organizations targeted include the State Executive Service, Kyiv Public Transportation Service, and Zaporizhzhia Automobile Building Plant.

Experts suggest the attacks may aim to gather intelligence or disrupt critical infrastructure in Ukraine amidst the continued conflict.

Smaller, under-resourced organizations have been particularly vulnerable, acting as potential entry points for broader cyber espionage activities.

Organizations are urged to take immediate action to protect themselves from potential exploitation of CVE-2025-0411. Here are key steps recommended by cybersecurity experts:

1. Update 7-Zip: Ensure your systems run version 24.09 or later to patch the MoTW bypass vulnerability.
2. Enhance Security Training: Educate employees about phishing and homoglyph attacks, encouraging caution when handling email attachments or unknown files.
3. Implement Email Security Tools: Use advanced filtering mechanisms to detect and block suspicious emails.
4. Isolate High-Risk Environments: Restrict access to sensitive systems and data, minimizing exposure in case of a breach.
5. Proactively Monitor Networks: Detect unusual activity or file executions that may indicate a compromised system.

Cybersecurity experts continue to analyze the full scope of this campaign. Questions remain about whether similar vulnerabilities exist in other software and how attackers may refine their strategies in the future.

Given the recurrence of homoglyph attacks and advanced phishing techniques, the global cybersecurity community must stay vigilant to these evolving threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free