Hackers have exploited a zero-day vulnerability in the popular file archiver 7-Zip to deploy SmokeLoader malware.
The vulnerability, tracked as CVE-2025-0411, was identified in September 2024 and has since been actively used in cyberattacks targeting Ukrainian entities.
CVE-2025-0411 is a high-severity vulnerability (CVSS score: 7.0) that allows attackers to bypass Windows’ Mark-of-the-Web (MoTW) security mechanism.
MoTW is a critical feature that flags files downloaded from untrusted sources, enabling additional security checks by tools like Microsoft Defender SmartScreen and Microsoft Office Protected View.
The flaw arises because earlier versions of 7-Zip (before version 24.09) failed to propagate the MoTW flag to files extracted from nested archives.
This flaw enables attackers to craft malicious archives that evade MoTW protections, allowing harmful scripts or executables to run without triggering security warnings.
Exploitation in the Wild
Russian cybercrime groups have weaponized the vulnerability, likely as part of cyberespionage campaigns amid the ongoing Russo-Ukrainian conflict.
These groups have used spear-phishing emails to distribute double-archived malicious files.
“The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files,” TrendMicro said.
A particularly deceptive technique employed is homoglyph attacks, where file extensions are spoofed using visually similar characters (e.g., replacing the Latin “c” with the Cyrillic “Es”) to trick users into believing the file is legitimate.
For example, attackers distributed an outer archive named “Документи та платежи.7z” (translated as “Documents and Payments”), containing an inner archive spoofed as a Microsoft Word document with an extension like “Спiсок.doс.”
Upon extraction and execution of these files, SmokeLoader malware was deployed onto victim systems.
SmokeLoader is a modular malware loader first identified in 2011. It primarily serves as a downloader for secondary payloads but also possesses standalone capabilities such as credential theft, data exfiltration, establishing backdoors for prolonged access, and using obfuscation and sandbox detection to avoid analysis.
Mitigation Strategies
To protect against CVE-2025-0411 and similar threats, organizations should implement the following measures:
- Ensure all systems are running 7-Zip version 24.09 or later, which addresses this vulnerability.
- Deploy robust email filtering solutions to block spear-phishing attempts.
- Educate employees on recognizing phishing emails and homoglyph attacks.
- Disable automatic execution of files from untrusted sources and enforce verification prompts.
- Use endpoint protection tools capable of identifying and blocking malicious file activity.
- Look for unusual patterns indicative of malware communication with C2 servers.
Organizations must act swiftly to mitigate potential threats, especially given the sophisticated techniques employed by attackers in this campaign.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free