A security vulnerability in the 7-Zip archiver tool, identified as CVE-2025-0411, was actively exploited to deliver SmokeLoader malware. The flaw allowed attackers to bypass Windows’ Mark-of-the-Web (MotW) protections, enabling the execution of malicious code without security warnings. The vulnerability was patched in November 2024 with version 24.09 of 7-Zip, but before that, Russian cybercriminal groups had already weaponized it in phishing campaigns. They leveraged homoglyph attacks to disguise malicious ZIP files as Microsoft Word documents, deceiving users and the Windows operating system into executing them.
This attack method involved double archiving, where a malicious payload was concealed within nested ZIP files to evade detection. Since earlier versions of 7-Zip failed to propagate MotW protections to encapsulated files, Windows’ security mechanisms did not recognize the threat. Once the deceptive ZIP file was opened, it executed an internet shortcut (.URL) file, directing victims to an attacker-controlled server.
This server then delivered another ZIP file containing the SmokeLoader malware, which was disguised as a PDF document to further trick the target.
The phishing emails used in these attacks were sent from compromised email accounts linked to Ukrainian government bodies and businesses, making them appear legitimate. These messages were primarily directed at local government agencies, municipal organizations, and businesses, indicating that attackers had prior access to compromised credentials. Once the malware was installed, it provided attackers with unauthorized access to infected systems, enabling further espionage and cyber operations. Given the geopolitical context, researchers suspect this campaign was part of a larger cyberwarfare effort targeting Ukraine amid ongoing tensions.
At least nine Ukrainian government entities, including the Ministry of Justice, Kyiv Public Transportation Service, and Kyiv Water Supply Company, were affected by this campaign. Security experts recommend updating 7-Zip to the latest version, implementing stronger email filtering mechanisms, and disabling the execution of files from untrusted sources to mitigate such attacks. The incident highlights how smaller government organizations, often lacking advanced cybersecurity defenses, can be targeted as entry points for broader attacks against larger institutions.