The Russian-based hacker groups have been found to exploit a 7-zip flaw documented under CVE-2025-0411, which carries a CVSS score of 7.0. The flaw allows malicious actors to bypass mark-of-the-web(MotW) protection and enables them to execute arbitrary commands in the context of the current user.
The Russian hacker groups took advantage of unpatched 7-zip installations to deliver SmokeLoader malware onto the target systems. The targets were approached via spear-phishing campaigns using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files, as per the details shared by Peter Girnus, who works as a security researcher with TrendMicro.
Looking at the set of targets who belong to government and non-government bodies in Ukraine as part of a cyber espionage campaign, this may be a part of the ongoing Russo-Ukrainian war. The first instance of CVE-2025-0411 being used against Ukraine came to light on September 25th, 2024. The flaw was further weaponized to deliver SmokeLoader, which is a loader malware that has been repeatedly used to target Ukraine.
The chain of attack starts with a phishing email that contains a specially crafted archive file that employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability. The emails were sent from email addresses associated with Ukrainian governing bodies and business accounts to bothmunicipal organizations and businesses, suggesting a prior compromise. The hackers were successful in infecting at least nine Ukrainian government entities, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council.
The flaw CVE-2025-0411 has been addressed in version 24.09, released back in November 2024. Users are recommended to update their installations to the latest version, implement email filtering features to block phishing attempts, and disablethe execution of files from untrusted sources.
