Russian crime organizations are utilizing the 7-Zip Flaw to circumvent Windows MotW privileges.

Feb 04, 2025Ravie LakshmananVulnerability / Cyber Espionage

In the wild, a lengthy patched security flaw in the 7-Zip archiver tool led to the malware release.

The flaw, ( CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web ( ) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with variant 24.09.

According to Trend Micro security researcher Peter Girnus,” the risk was constantly exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing harmful files.”

As part of a computer spy campaign set against the landscape of the continuous Russo-Ukrainian conflict, it is thought that CVE-2025-0411 was likely used to target administrative and non-governmental organizations in Ukraine.

MotW is a stability feature that Microsoft has added to Windows to stop it from automatically executing data downloaded from the internet without using Microsoft Defender SmartScreen for additional assessments.

CVE-2025-0411 passes MotW by twin uploading material using 7-Zip, i. electronic, creating an archive and then an library of the archive to mask the destructive payloads.

” The root cause of CVE-2025-0411 is that due to type 24.09, 7-Zip did not properly spread MotW privileges to the content of double-encapsulated files”, Girnus explained. This makes it possible for threat actors to create archives that contain malicious code or executables that won’t get MotW protections, making Windows users vulnerable to attacks.

Problems that exploit the weakness as a zero-day were first discovered in the wild on September 25, 2024, with the disease patterns leading to SmokeLoader, a load malware that has been frequently used to target Ukraine.

The phishing email that contains a specially created library document serves as the starting point for a homoglyph attack that denotes the inner ZIP library as a Microsoft Word document file, properly triggering the vulnerability.

According to Trend Micro, the phishing emails were sent to both municipal organizations and businesses from email addresses linked to Ukrainian government bodies and business accounts, suggesting a prioritization.

Girnus remarked that the use of these compromised email accounts “gives the emails sent to targets an air of authenticity,” thus allowing potential victims to manipulate the content and their senders.

An internet shortcut ( .URL ) file that points to another ZIP file hosted by an attacker is executed as a result of this approach. The SmokeLoader executable, which was disguised as a PDF document, is contained in the newly downloaded ZIP.

The Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council are among the at least nine Ukrainian government entities and other organizations that have been deemed to be impacted by the campaign.

Users are advised to update their installations to the most recent version, implement email filtering features to stop phishing attempts, and turn off files from untrusted sources in light of the active CVE-2025-0411 exploitation.

Smaller local government organizations, according to Girnus, are one of the interesting things we learned from the campaigns targeted and affected.

These organizations lack the resources for a comprehensive cyber strategy that larger government organizations have, are frequently under intense cyber pressure, and are frequently overlooked, under-informed, and under-prepared. These smaller organizations can serve as important pivot points for threat actors as they seek to ally themselves with larger government organizations.

Found this article interesting? To read more exclusive content we post, follow us on and Twitter.

Leave a Comment