Russian cybersecurity organizations are utilizing 7-Zip Flaw to bypass Windows MotW Protections.

Feb 04, 2025Ravie LakshmananVulnerability / Cyber Espionage

In the wild, a lengthy patched security flaw in the 7-Zip archiver tool led to the malware release.

The flaw, ( CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web ( ) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with variant 24.09.

According to Trend Micro security researcher Peter Girnus,” the risk was positively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing harmful files.”

As part of a computer spy campaign set against the landscape of the continuous Russo-Ukrainian conflict, it is suspected that CVE-2025-0411 was likely used to target political and non-governmental organizations in Ukraine.

MotW is a stability feature that Microsoft has added to Windows to stop it from automatically executing data downloaded from the internet without using Microsoft Defender SmartScreen for additional assessments.

CVE-2025-0411 passes MotW by twin archiving material using 7-Zip, i. electronic, creating an archive and then an library of the archive to suppress the destructive payloads.

” The root cause of CVE-2025-0411 is that due to type 24.09, 7-Zip did not properly spread MotW privileges to the content of double-encapsulated files”, Girnus explained. This makes it possible for risk actors to create archives that contain malicious code or executables that won’t get MotW protections, making Windows users vulnerable to attacks.

Problems that exploit the weakness as a zero-day were first discovered in the wild on September 25, 2024, with the disease patterns leading to SmokeLoader, a load malware that has been frequently used to target Ukraine.

The phishing email that contains a specially created archive file serves as the starting point for a homoglyph attack that denotes the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability.

According to Trend Micro, the phishing emails were sent to both municipal organizations and businesses from email addresses linked to Ukrainian government bodies and business accounts, suggesting a prioritization.

Girnus remarked that the use of these compromised email accounts “gives the emails sent to targets an air of authenticity,” thus allowing potential victims to manipulate the content and their senders.

This approach causes an internet shortcut ( .URL ) file to be executed inside the ZIP archive, which points to a server that is run by an attacker and hosts another ZIP file. The SmokeLoader executable that was disguised as a PDF document is contained in the newly downloaded ZIP.

The Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council are among the at least nine Ukrainian government entities and other organizations that have been deemed to be impacted by the campaign.

Users are advised to update their installations to the most recent version, implement email filtering features to block phishing attempts, and turn off the execution of files from untrusted sources in light of the active exploitation of CVE-2025-0411.

Smaller local government bodies are one of the interesting takeaways we noticed in the organizations targeted and affected by this campaign, according to Girnus.

These organizations are frequently under intense cyber-pressure, are frequently overlooked, lack cyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations possess. These smaller organizations can serve as important pivot points for threat actors as they seek to ally themselves with larger government organizations.

Found this article interesting? Follow us on and Twitter to access more exclusive content we post.

DNS checker

Leave a Comment