Russian Hackers Exploit Zero-Day Attacks Against Ukraine

A critical vulnerability in the popular file archiving software 7-Zip has been exploited by Russian threat actors in zero-day attacks targeting Ukraine since September 2024. This flaw, identified as CVE-2025–0411, enables attackers to bypass the Mark of the Web (MoTW) Windows security feature, allowing malicious files to execute without user warnings. Trend Micro researchers have linked this exploitation to campaigns distributing the SmokeLoader malware, primarily affecting Ukrainian government institutions and private sector organizations.

Understanding the Mark of the Web (MoTW)

The Mark of the Web (MoTW) is a vital Windows security mechanism designed to protect users from executing potentially harmful files originating from untrusted sources. When files are downloaded from the internet or received as email attachments, Windows appends a special 'Zone.Id' alternate data stream - the MoTW - to the file. This tag prompts additional warnings when the user attempts to open the file, providing a layer of defense against malware.

For example, when opening documents in Microsoft Word or Excel with an MoTW flag, users receive security alerts, and macros are disabled by default. This feature plays a crucial role in preventing malicious scripts from running automatically, thus mitigating the risk of phishing and malware attacks.

The Vulnerability: CVE-2025–0411

Trend Micro's Zero Day Initiative (ZDI) first discovered CVE-2025–0411 on September 25, 2024, during investigations into cyberattacks against Ukrainian entities. The flaw lies in 7-Zip's handling of double-archived files, where an archive is nested within another archive. Due to improper inheritance of the MoTW flag, the inner files escape the security check, allowing malicious content to execute without triggering any warnings.

This oversight is particularly dangerous because it undermines the trust users place in Windows security prompts. Attackers exploit this flaw to deliver malware seamlessly, bypassing both human vigilance and automated security filters.

Attack Techniques and Impact

The Russian threat actors behind these attacks employed sophisticated phishing campaigns to distribute the malicious 7-Zip archives. They compromised legitimate Ukrainian government email accounts to send phishing emails, increasing the likelihood that recipients would trust and open the attachments.

The phishing emails contained double-archived 7-Zip files designed to look like harmless documents, such as Word or PDF files. The attackers used homoglyph techniques - replacing characters with visually similar ones - to disguise the payloads effectively. While the parent archive retained the MoTW flag, the inner archive did not, due to the CVE-2025–0411 vulnerability. This allowed malicious scripts and executables to launch without any security warnings.

Upon execution, these scripts deployed SmokeLoader, a versatile malware dropper known for installing additional payloads like info-stealers, trojans, ransomware, and backdoors. This enabled persistent access to compromised systems, facilitating data theft and further cyber-espionage activities.

Affected Organizations

• The attacks had a broad impact, compromising multiple high-profile Ukrainian organizations, including:
• State Executive Service of Ukraine (SES) - Ministry of Justice
• Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) - Manufacturer of automobiles, buses, and trucks
• Kyivpastrans - Kyiv Public Transportation Service
• SEA Company - Manufacturer of appliances, electrical equipment, and electronics
• Verkhovyna District State Administration - Ivano-Frankivsk oblast administration
• VUSA - Insurance company
• Dnipro City Regional Pharmacy - Regional pharmacy
• Kyivvodokanal - Kyiv Water Supply Company
• Zalishchyky City Council - Local government council

These breaches compromised sensitive government data and disrupted critical infrastructure, highlighting the severe consequences of such vulnerabilities.

The Road to a Patch

Despite being exploited since September, the vulnerability was not disclosed publicly until Trend Micro shared a working proof-of-concept (PoC) exploit with 7-Zip developers on October 1, 2024. Recognizing the gravity of the situation, the developers released a security patch in version 24.09 on November 30, 2024.

However, 7-Zip does not feature an auto-update mechanism, meaning many users may still be operating outdated versions susceptible to CVE-2025–0411. This poses an ongoing risk, as unpatched systems remain vulnerable to exploitation.

Mitigation and Recommendations

• To mitigate the risks associated with this vulnerability, users and organizations are strongly advised to:
• Update 7-Zip Immediately: Download and install version 24.09 or later from the official 7-Zip website to ensure the vulnerability is patched.
• Verify File Integrity: Avoid opening archives from unknown or untrusted sources, even if they appear to come from legitimate contacts.
• Enhance Email Security: Implement advanced phishing detection mechanisms and train employees to recognize suspicious emails.
• Use Robust Endpoint Protection: Deploy comprehensive endpoint security solutions capable of detecting and blocking malicious behaviors, even if files bypass initial security checks.
• Apply the Principle of Least Privilege: Restrict user permissions to minimize the impact of malware that manages to execute.

Conclusion

The exploitation of CVE-2025–0411 underscores the evolving sophistication of cyber threats and the critical importance of timely software updates. As attackers continue to identify and exploit security gaps, organizations must remain vigilant, adopting proactive security measures to defend against emerging threats.

This incident also highlights the necessity for software developers to prioritize security features, such as MoTW support, during development. A delay in implementing these safeguards can have far-reaching consequences, as demonstrated by the attacks against Ukraine.

In the broader context of cybersecurity, this case serves as a stark reminder of the interconnected nature of digital ecosystems. A vulnerability in a widely used utility like 7-Zip can ripple across sectors, affecting government agencies, private companies, and critical infrastructure alike. Continuous monitoring, prompt patching, and a culture of security awareness are essential pillars in the fight against cybercrime.