Zero-Day Attacks Exploit 7-Zip Vulnerability to Target Ukrainian Entities

February 4, 2025

A vulnerability in the 7-Zip file archiver program has been exploited by Russian hackers to bypass the Windows security feature known as Mark of the Web (MotW). This allowed them to launch zero-day attacks against the Ukrainian government and private organizations. The flaw was used in SmokeLoader malware campaigns that have been ongoing since September 2024.

The MotW is a security feature of Windows designed to warn users when they are about to execute a file from an untrusted source. It requests a confirmation step via an additional prompt. By bypassing MotW, the threat actors were able to run malicious files on the victim's machine without triggering any warning.

When files are downloaded from the web or received as an email attachment, Windows adds a special 'Zone.Id' alternate data stream known as the Mark-of-the-Web (MotW) to the file. If a user tries to open a downloaded file, Windows checks for the presence of a MotW and, if it exists, displays additional warnings to the user. In the case of documents opened in Word or Excel with a MotW flag, Microsoft Office generates additional warnings and disables macros.

The vulnerability, now designated as CVE-2025-0411, was first discovered by the Zero Day Initiative (ZDI) team at Trend Micro on September 25, 2024. It was seen being exploited in attacks carried out by Russian threat actors. The hackers exploited the flaw by using double archived files (an archive within an archive) to bypass the MotW flag, resulting in the execution of malicious files without triggering warnings.

The attackers used specially crafted archive files sent via phishing emails from compromised Ukrainian government accounts to bypass security filters and appear legitimate. They used homoglyph techniques to hide their payloads within the 7-Zip files, making them appear as innocuous Word or PDF documents. However, due to the CVE-2025-0411 flaw, the MotW flag did not propagate to the contents of the inner archive, enabling malicious scripts and executables to launch directly. This triggered the SmokeLoader payload, a malware dropper previously used to install info-stealers, trojans, ransomware, or create backdoors for persistent access.

Despite the discovery of the zero-day in September, it was not until October 1, 2024, that Trend Micro shared a working proof-of-concept (PoC) exploit with the developers of 7-Zip. The vulnerability was addressed via a patch in version 24.09, released on November 30, 2024. However, as 7-Zip does not have an auto-update feature, many users may still be running outdated versions. Users are strongly advised to download the latest version to protect themselves from this vulnerability.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Google Patches Android Kernel Zero-Day Exploited in Attacks and Other Vulnerabilities in January 2025 Security Updates
• BeyondTrust Discloses Zero-Day Breach Impacting 17 SaaS Customers Due to Compromised API Key
• Contec CMS8000 Patient Monitors Vulnerable to Cyber Threats: CISA and FDA Warning
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed