A critical security flaw in 7-Zip, tracked as CVE-2025-0411 (CVSS score: 7.0), was found to be leveraged by Russian cybercrime groups to bypass Windows Mark-of-the-Web (MotW) protections and execute arbitrary code on targeted systems. The issue was resolved in 7-Zip version 24.09, released in November 2024.
According to Trend Micro security researcher Peter Girnus, the flaw was actively exploited through spear-phishing campaigns utilizing homoglyph attacks to spoof file extensions, tricking both users and Windows into executing malicious files.
Exploitation in Cyber Espionage Campaigns
Reports indicate that CVE-2025-0411 was weaponized to target both governmental and non-governmental organizations in Ukraine, aligning with the ongoing Russo-Ukrainian conflict. The flaw enabled attackers to bypass security checks, facilitating a cyber espionage campaign.
Microsoft’s MotW security feature is designed to prevent unverified files from executing without further scrutiny via Microsoft Defender SmartScreen. However, this vulnerability was exploited by double archiving malicious payloads using 7-Zip, effectively concealing the threat.
Technical Breakdown of CVE-2025-0411
Prior to 7-Zip version 24.09, the application failed to properly enforce MotW protections on files contained within nested (double-encapsulated) archives. This oversight allowed attackers to craft malicious archives containing scripts or executables that bypass Windows security mechanisms.
Attackers first double-archived malicious content, making it appear as legitimate files. Then, they distributed these deceptive archive files via phishing emails, leading unsuspecting users to unknowingly execute SmokeLoader, a well-known loader malware frequently used in attacks against Ukraine.
Attack Chain & Infection Methodology
The attack sequence was first identified on September 25, 2024, with malicious emails containing specially crafted archive files. The attack flow included:
- Phishing Emails: The campaign involved phishing emails containing homoglyph-manipulated ZIP archives masquerading as Microsoft Word documents.
- Compromised Email Accounts: Attackers used previously compromised Ukrainian government and business email accounts to make phishing messages appear credible.
- Archive Execution: When the ZIP archive was opened, it triggered the execution of a .URL shortcut file, leading victims to an attacker-controlled server hosting another ZIP file.
- SmokeLoader Deployment: The second ZIP contained a SmokeLoader executable disguised as a PDF document, which, when opened, initiated the infection.
Targeted Entities & Security Implications
At least nine Ukrainian government agencies and other organizations were affected, including:
- Ministry of Justice
- Kyiv Public Transportation Service
- Kyiv Water Supply Company
- City Council
Girnus noted that smaller local government bodies were particularly vulnerable, as they often lack robust cybersecurity resources compared to larger government agencies. Cybercriminals exploit these organizations as stepping stones to infiltrate broader networks.
Mitigation Measures & Security Recommendations
Given the active exploitation of CVE-2025-0411, organizations are strongly advised to:
✅ Update 7-Zip to version 24.09 to patch the vulnerability.
✅ Enhance email security by implementing phishing filters and blocking suspicious attachments.
✅ Restrict execution of files from untrusted or external sources.
Girnus emphasized the importance of cyber resilience, particularly for under-resourced government agencies, urging them to strengthen defenses against emerging cyber threats.