Zero-Day Vulnerability in 7-Zip Allows Cybercriminals to Bypass Security Measures and Target Ukrainian Institutions
A recently uncovered vulnerability in the widely used 7-Zip archiver tool is being exploited by cybercriminals to target Ukrainian institutions. The flaw, identified as CVE-2025-0411, allows attackers to bypass Mark-of-the-Web (MotW) protections, enabling the execution of arbitrary code in the context of the current user. This vulnerability has been actively exploited in spear-phishing campaigns to deliver the notorious SmokeLoader malware, a tool often used in cyber espionage and crime.
Researchers at Trend Micro first uncovered the vulnerability in September 2024. It was reported to Igor Pavlov, the creator of 7-Zip, on October 1, 2024. Pavlov promptly addressed the issue with the release of version 24.09 on November 30, 2024. Despite the patch, Russian cybercrime groups have already weaponized the exploit in attacks targeting Ukrainian organizations, including the State Executive Service of Ukraine (SES) under the Ministry of Justice.
The Zero Day Initiative (ZDI), which relayed the vulnerability details to Pavlov, highlighted the sophistication of the attacks. Hackers are employing "homoglyph attacks," a technique using visually similar characters to trick users into opening malicious files. This method, combined with the 7-Zip flaw, bypasses Windows’ MotW protections, designed to flag potentially unsafe files downloaded from the internet.
Key Details of the 7-Zip Exploit:
| Aspect | Details |
|---|---|
| Vulnerability | CVE-2025-0411 (CVSS score: 7.0) |
| Exploited By | Russian cybercrime groups |
| Target | Ukrainian institutions, including the State Executive Service of Ukraine |
| Malware Delivered | SmokeLoader |
| Patch Release | 7-Zip version 24.09 (November 30, 2024) |
| Discovery | }^{Trend Micro (September 2024) |
The exploitation of this vulnerability underscores a growing trend of merging cyberwarfare and cybercrime, where state-sponsored actors utilize tools traditionally associated with criminal enterprises. This incident illuminates the urgency for timely patching and the challenges faced by organizations against increasingly sophisticated attacks.
For more insights into this evolving landscape of nation-state attacks and cybercrime, explore our in-depth analysis of North Korea’s secret IT army and strategies to combat such threats.
In an ever-expanding digital battlefield, staying informed and vigilant is crucial. Ensure your systems are updated to mitigate risks posed by such vulnerabilities.