A new report from the Zero Day Initiative (ZDI) Threat Hunting team reveals that Ukrainian organizations have been targeted in a series of attacks exploiting a zero-day vulnerability in the popular 7-Zip file archiver.
The vulnerability, tracked as CVE-2025-0411, allows attackers to bypass Windows Mark-of-the-Web (MOTW) protections, which are designed to prevent the execution of malicious files downloaded from the internet.
The ZDI report states that the vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns. These campaigns used homoglyph attacks, which involve substituting similar-looking characters from different alphabets to spoof legitimate file names and extensions.
“The attackers designed an inner archive mimicking a.doc file,” the report explains. “This strategy effectively misleads users into inadvertently triggering the exploit for CVE-2025-0411, resulting in the contents of the archive being released without MOTW protections.”
By exploiting this vulnerability, attackers could deliver malware to unsuspecting victims without triggering Windows Defender SmartScreen warnings. This technique was instrumental in the deployment of
By exploiting this vulnerability, attackers could deliver malware to unsuspecting victims without triggering Windows Defender SmartScreen warnings. This technique was instrumental in the deployment of SmokeLoader, a modular malware loader used for installing additional payloads, including ransomware and credential stealers.
The ZDI report provides a detailed analysis of the CVE-2025-0411 vulnerability and the associated attacks. It also includes recommendations for organizations to protect themselves from these threats, such as updating 7-Zip to the latest version, implementing strict email security measures, and conducting employee training on phishing and homoglyph attacks.
The investigation suggests that multiple government agencies and businesses in Ukraine were targeted, including:
- State Executive Service of Ukraine (SES) – Ministry of Justice
- Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) – Vehicle manufacturer
- Kyivpastrans – Kyiv Public Transportation Service
- Kyivvodokanal – Kyiv Water Supply Company
- Verkhovyna District State Administration – Local government
- SEA Company – Electronics manufacturer
- VUSA – Insurance firm
- Dnipro City Regional Pharmacy – Healthcare sector
The ZDI team noted that smaller municipal organizations were among the primary targets. These entities often lack the cybersecurity resources of larger government agencies, making them valuable entry points for attackers looking to escalate their access within Ukrainian infrastructure.
Organizations and and individuals should take the necessary steps to protect themselves from zero-day exploits and other sophisticated attacks.
Related Posts:
- CVE-2024-29988: ‘In-the-Wild’ Flaw Among Microsoft’s April 2024 Patch Tuesday
- ZDI Details Copy2Pwn: Zero-Day CVE-2024-38213 Evades Windows Security Measures
- CVE-2022-2560: CompleteFTP Directory Traversal Arbitrary File Deletion Flaw
- Hard-Coded Credentials (CVE-2024-23473), RCE (CVE-2024-28075) Flaws Patched in SolarWinds ARM
