Analysis Summary

A recently discovered vulnerability in the 7-Zip archiver tool, CVE-2025-0411, has been exploited by cybercriminal groups to distribute SmokeLoader malware. The flaw, which has a CVSS score of 7.0, allows attackers to bypass Microsoft's mark-of-the-web (MotW) protections, enabling the execution of arbitrary code within the context of the current user.

According to the Researcher, This vulnerability was actively weaponized in spear-phishing campaigns, primarily targeting the Ukrainian government and non-government organizations amidst the ongoing Russo-Ukrainian conflict. The flaw was addressed by 7-Zip in November 2024 with version 24.09, which correctly propagates MotW protections to content within double-encapsulated archives.

The attack exploits the MotW feature, a Windows security measure that marks files downloaded from the internet as untrusted to prevent automatic execution. CVE-2025-0411 bypasses this by embedding a malicious archive within another archive causing Windows to miss the necessary security checks. This allows threat actors to craft archives containing harmful scripts or executables that evade MotW protections, leaving users vulnerable to attack. The flaw was first exploited on September 25, 2024, in attacks that used SmokeLoader, a loader malware frequently used against Ukraine. These attacks employed phishing emails containing specially crafted archive files designed to appear as Microsoft Word documents, leading to the exploitation of the vulnerability.

Once the victim opens the malicious archive, a homoglyph attack is used to disguise a ZIP file as a Microsoft Word document, triggering the vulnerability. The ZIP file then contains an internet shortcut that connects to a remote server hosting another ZIP file containing the SmokeLoader executable disguised as a PDF. The SmokeLoader malware enables further exploitation, including downloading additional malicious payloads. At least nine Ukrainian government entities, such as the Ministry of Justice and Kyiv Public Transportation Service, have been impacted by this campaign. The use of compromised email accounts adds authenticity to the phishing attempts, making them more convincing and harder to detect.

In addition to the ongoing exploitation of CVE-2025-0411, UAC-0006, a financially motivated threat actor, has also been attributed to a phishing campaign dubbed "GetSmoked." This campaign, observed between October 2024 and January 2025, involved the use of ZIP attachments in emails to distribute SmokeLoader. The attack chain typically involves launching JavaScript or Windows shortcut files that trigger PowerShell scripts which in turn download and execute the malware while showing a decoy PDF document. According to the Researcher, The overlap in tactics, techniques, and procedures (TTPs) between UAC-0006 and the Russian APT group FIN7 further indicates ties to Russian cyber activities. Users are urged to update 7-Zip, implement email filtering, and disable the execution of files from untrusted sources to mitigate the risk of this ongoing threat.

Impact

• Code Execution
• Security Bypass

Indicators of Compromise

SHA1

• 88a82a543e93a50ef5acc9924844c0ce46dc183b

• 911e0a5ecec7b40883adc6e86383992e043df912

• b8fdc00914943d0aaea0f5ca297f7c51c8c96ab9

• 45810dc8fa00d54a302d8ea5a7563a21c93c94f4

• 76352226e921e8cf57746c551735cd913c3e45c8

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Ensure that 7-Zip is updated to the latest version (24.09 or higher), which addresses the CVE-2025-0411 vulnerability and correctly propagates MotW protections to double-encapsulated archives.
• Apply any available security patches for the operating system and other software to mitigate potential vulnerabilities that could be exploited by similar attacks.
• Implement robust email filtering to block phishing emails, especially those containing ZIP files or other malicious attachments. Use advanced security tools to detect homoglyph attacks and spoofed email addresses.
• Configure security settings to block the execution of files from untrusted sources, particularly those downloaded from email attachments or the internet.
• Deploy endpoint detection and response (EDR) solutions to scan for suspicious behaviors, such as PowerShell scripts or the execution of internet shortcut files.
• Look for signs of SmokeLoader infections, such as unusual PowerShell activity, network traffic to suspicious servers, or the presence of disguised executables (e.g., PDF masquerading as a PDF file).
• Monitor systems for double-encapsulated archives (archive within an archive) that could bypass MotW protections. Use automated tools to flag such patterns.
• Analyze outbound network traffic for any suspicious connections to external servers hosting malicious payloads or for unusual Tor proxy usage.
• If an infection is detected, isolate affected systems from the network to prevent lateral movement and further exploitation.
• Run a full malware scan using updated antivirus and EDR tools to detect and remove SmokeLoader and any associated payloads.
• Investigate any unauthorized access to critical systems or data, especially in government or business organizations, and take steps to secure compromised accounts.
• Notify relevant cybersecurity agencies and stakeholders about the attack, including government and organizational response teams, to help coordinate efforts in mitigating further risks.