Russian Hackers Exploit 7-Zip Zero-Day to Target Ukraine
Russian threat actors have been caught exploiting a zero-day vulnerability in 7-Zip, using it to infiltrate Ukrainian government entities. The flaw, tracked as CVE-2025-0411, allowed attackers to bypass Windows' Mark-of-the-Web (MoTW) protection, helping them deliver malicious payloads undetected.
Table of Contents
The 7-Zip Zero-Day and Its Exploitation
The vulnerability, which received a CVSS score of 7.0, was first discovered in September 2024 and remained unpatched until November 2024, when 7-Zip version 24.09 was released. It stemmed from a flaw in the way 7-Zip handled MoTW propagation.
MoTW is a Windows security mechanism designed to warn users about files downloaded from untrusted sources. However, 7-Zip failed to extend MoTW protections to files extracted from an archive, allowing attackers to package malware in double-archived files. If a victim extracted and opened these files, the malicious payload could execute without triggering any security warnings.
SmokeLoader Campaign Targets Ukrainian Entities
Security researchers at Trend Micro confirmed that Russian-aligned cybercriminals exploited CVE-2025-0411 in a campaign deploying SmokeLoader, a well-known malware loader used for cyberespionage.
The attackers sent booby-trapped email attachments containing malicious archives to Ukrainian government agencies and businesses. These emails originated from previously compromised Ukrainian accounts, including those from the State Executive Service of Ukraine (SES), a branch of the Ukrainian Ministry of Justice.
To make the attack more deceptive, hackers used a homoglyph attack—a technique that replaces certain characters with visually similar alternatives. In this case, the Cyrillic letter "Es" was substituted to make the inner archive appear as a Word document (.doc). This tricked recipients into opening the file, unknowingly executing the exploit.
Who Was Targeted?
Trend Micro’s investigation identified multiple Ukrainian organizations targeted in this attack, including:
- SES (State Executive Service of Ukraine)
- PrJSC ZAZ (Zaporizhzhia automobile plant)
- Kyivpastrans (Kyiv’s public transport service)
- Kyivvodokanal (Kyiv’s water supply service)
- SEA (electronics manufacturer)
- Verkhovyna district state administration
- VUSA (insurance company)
- Dnipro regional pharmacy
- Zalishchyky city council
Researchers believe this list is not exhaustive, and that many more organizations may have been targeted. The attackers focused on smaller government bodies, which often have weaker cybersecurity defenses. These compromised entities could then be used as stepping stones to infiltrate larger government networks.
Defensive Measures and Patching
Organizations using 7-Zip should immediately update to version 24.09 to patch CVE-2025-0411. Additionally, users should remain cautious when opening archived files from emails, especially those from unknown or unexpected sources.
Ukraine remains a prime target for Russian cyberattacks, and exploiting software vulnerabilities remains a key tactic in cyberwarfare. As attackers continue refining their techniques, vigilance and rapid patching are critical in mitigating future threats.
