Vulnerability / Cyber Espionage

A Recently Patched Security Vulnerability Exploited in the Wild

A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware.

The Flaw

The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.

Exploitation

The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files.

Targeted Organizations

At least nine Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council.

How the Flaw Was Exploited

The starting point is a phishing email that contains a specially-crafted archive file that, in turn, employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability.

The Attack Sequence

1. The phishing message is sent from an email address associated with a Ukrainian governing body or business account to a municipal organization or business.
2. The email contains a specially-crafted archive file that, when opened, employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file.
3. The email triggers the vulnerability, allowing the attacker to execute an internet shortcut (.URL) file present within the ZIP archive.
4. The .URL file points to an attacker-controlled server hosting another ZIP file.
5. The newly downloaded ZIP contains the SmokeLoader executable disguised as a PDF document.

The SmokeLoader Malware

SmokeLoader is a loader malware that has been repeatedly used to target Ukraine.

Root Cause of the Flaw

The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MotW protections to the content of double-encapsulated archives.

Recommendations

Users are recommended to update their installations to the latest version, implement email filtering features to block phishing attempts, and disable the execution of files from untrusted sources.

Conclusion

The active exploitation of CVE-2025-0411 highlights the importance of keeping software up-to-date and implementing robust security measures to prevent cyber attacks.

Cybersecurity Takeaways

• Smaller local government bodies can be valuable pivot points for threat actors to pivot to larger government organizations.
• These organizations are often under intense cyber pressure yet are often overlooked, less cyber-savvy, and lack the resources for a comprehensive cyber strategy.

Follow Us

Follow us on Twitter and LinkedIn to read more exclusive content we post.