Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Espionage and Cybercrime Campaign Tied to 7-Zip Mark-of-the-Web Bypass Hits

A zero-day vulnerability in a widely used Windows archive utility appears to have been wielded by Russian hackers to exploit multiple Ukrainian institutions.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Researchers at security firm Trend Micro discovered the mark-of-the-web bypass vulnerability in the open source 7-Zip software in September 2024, after probing in-the-wild attacks that attempted to exploit the vulnerability, tracked as CVE-2025-0411.
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip,” according to a Jan. 19 security advisory released by Trend Micro’s Zero Day Initiative bug bounty program. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
Russian threat actors have already used it to target governmental and private sector organizations in Ukraine, most likely for cyberespionage, said Peter Girnus, the senior threat researcher at Trend Micro who discovered the vulnerability.
ZDI relayed the vulnerability information to 7-Zip’s creator and maintainer, Igor Pavlov, on Oct. 1, 2024, and he patched the flaw via the software’s version 24.09 release on Nov. 30, 2024.
Mark-of-the-web, or MOTW, is a protection feature built into Windows, designed to indicate when files come from the internet or any other designated “restricted zones” in Windows. It displays alerts whenever users begin interacting with restricted zone files and deploys additional checks including Microsoft Defender SmartScreen, which can prevent malicious files from executing.
MOTW “poses a barrier to successful phishing attacks because the potential victim is offered the opportunity to deny execution,” said security firm Red Canary. In addition, the feature “supplies SmartScreen with a hook into the registered AV engine, giving it the opportunity to perform additional signature and reputation checks.”
SmokeLoader Campaign
The active attacks spotted by the Trend Micro security researchers on Sept. 25, 2024, involved hackers attempting to infect Ukrainian systems with SmokeLoader malware, using legitimate but compromised accounts tied to multiple Ukrainian government agencies and businesses.
Targets included the Zaporizhzhia Automobile Building Plant, one of Ukraine’s largest manufacturers of cars, trucks and buses. The company is located in the Zaporizhzhia Oblast region in southeastern Ukraine, which has been fiercely contested throughout Ukrainian efforts to repel Russian invaders who initiated a war of conquest in February 2022.
Other known targets included government and critical infrastructure entities, such as Ukraine’s Ministry of Justice, Kyiv’s public transportation service as well as water supply company, the Verkhovyna District State Administration, the Zalishchyky City Council, plus an appliance and electronics manufacturer, a regional pharmacy and an insurance firm, Trend Micro said.
SmokeLoader malware has been a favorite of hackers targeting Ukraine. Many different nation-state groups and criminals have used the SmokeLoader family of Trojans, which first debuted in 2011. As the name suggests, attackers often use the software as a loader – or dropper – to install additional malware, and the malicious code has become “notorious for its use of deception and self-protection,” according to Mitre. Other attackers employ SmokeLoader as their primary piece of malware, oftentimes configuring it to download, after infection, a variety of available plug-ins, including for stealing login credentials, autofill data and cookies from browsers, as well as for exfiltrating data.
Russian government hackers remain repeat users of the malware. Last December, Ukraine’s State Service of Special Communications and Information Protection reported that multiple Russian threat groups, including a group tied to Russia’s Federal Security Service, wielded SmokeLoader in numerous 2024 campaigns, many of which focused on financial theft from Ukrainian institutions.
The Ukraine-targeting campaign also employed a homoglyph attack, referring to using nearly identical characters to fool users. As a general example, attackers could send an email with a link in which they’ve replaced the letter “O” with zero – so that instead of MICROSOFT.com
, they would see MICROS0FT.com
, which might trick someone into clicking on the malicious link.
“In the samples we uncovered as part of the SmokeLoader campaign, the inner ZIP
archive deployed a homoglyph attack to spoof a Microsoft Windows document (.doc
) file,” by using the Cyrillic character “Es” to make an archive file appear to instead be a Word document, Trend Micro’s Girnus said.
“This strategy effectively misleads users into inadvertently triggering the exploit for CVE-2025-0411, resulting in the contents of the archive being released without MOTW protections,” after which the attack chain involves executing JavaScript files designed to grab users’ credentials, he said.
This isn’t the first time researchers have unearthed flaws in 7-Zip. Last November, security researchers detailed a user data-validation shortcoming in the software, assigned CVE-2024-11477, which attackers could exploit through a specially crafted archive to run arbitrary code on vulnerable installations of 7-Zip. At the time, researchers reported seeing no active, in-the-wild exploits of the flaw.
“Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation,” said the Zero Day Initiative, which coordinated the fix.