In the wild, a lengthy patched security flaw in the 7-Zip archiver tool was used to spread malware.
The flaw, ( CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web ( ) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with variant 24.09.
According to Trend Micro security researcher Peter Girnus,” the risk was constantly exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing harmful files.”
As part of a computer spy campaign set against the landscape of the continuous Russo-Ukrainian conflict, it is thought that CVE-2025-0411 was likely used to target political and non-governmental organizations in Ukraine.
MotW is a stability feature that Microsoft has added to Windows to stop it from automatically executing data downloaded from the internet without using Microsoft Defender SmartScreen for additional assessments.
CVE-2025-0411 passes MotW by twin archiving material using 7-Zip, i. electronic, creating an archive and then an library of the archive to suppress the destructive payloads.
” The root cause of CVE-2025-0411 is that due to type 24.09, 7-Zip did not properly spread MotW privileges to the content of double-encapsulated files”, Girnus explained. This makes it possible for risk actors to create archives that contain malicious code or executables that won’t get MotW protections, making Windows users vulnerable to attacks.
On September 25, 2024, the illness sequences that resulted in SmokeLoader, a load malware that has been frequently used to target Ukraine, were first discovered in the wild using the flaw as a zero-day.
The initial target is a phishing email that contains a specially created library file that, in turn, uses a homoglyph assault to slip off the internal ZIP library as a Microsoft Word document file, properly triggering the vulnerability.
According to Trend Micro, the phishing emails were sent to both provincial organizations and businesses from email addresses associated with Ukrainian governing bodies and enterprise accounts, suggesting a previous level of compromise.
Girnus remarked that the use of these affected email accounts “gives the emails sent to targets an air of authenticity,” thus allowing potential victims to manipulate the content and their senders.
This method causes the execution of an internet shortcut ( .URL ) file that is present in the ZIP archive and points to a server that is run by an assailant and hosts another ZIP file. The SmokeLoader file, which was disguised as a PDF document, is contained in the previously saved ZIP.
The Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council are among the at least nine Russian state institutions and other institutions deemed to be impacted by the plan.
Users are advised to update their installations to the most recent version, employ message filtering features to prevent phishing attempts, and turn off the execution of files from dirty sources in light of the effective exploitation of CVE-2025-0411.
Smaller local authorities bodies are one of the fascinating takeaways we noticed in the businesses targeted and affected by this battle, according to Girnus.
These organizations lack the resources for a complete cyber strategy that larger government organizations have, are frequently under extreme cyber pressure, and are frequently overlooked, under-informed, and under-prepared. These smaller companies can serve as important pivot points for threat actors looking to join larger federal organizations.