Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411)
CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed.
The 7-Zip vulnerability (CVE-2025-0411)
Mark-of-the-Web (MotW) is a zone identifier used by the Windows operating system to flag files downloaded from the internet as potentially harmful.
“CVE-2025-0411 allows threat actors to bypass Windows MoTW protections by double archiving contents using 7-Zip. Double archiving involves incapsulating an archive within an archive,” Peter Girnus, a researcher with Trend Micro Zero Day Initiative, explained.
“The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MoTW protections to the content of double-encapsulated archives. This allows threat actors to craft archives containing malicious scripts or executables that will not receive MoTW protections, leaving Windows users vulnerable to attacks.”
Hex comparison between the outer and inner archive file (Source: Trend Micro)
Consequently, users who run such files won’t be shown a security warning by Windows, asking them to think twice about continuing the action and perhaps abandon the effort altogether.
MotW bypass vulnerabilities are regularly exploited by attackers.
The zero-day attack campaign
“An attacker can leverage [CVE-2025-0411] to execute arbitrary code in the context of the current user,” Trend Micro’s Zero Day Initiative explains.
And they did: In late September 2024, the ZDI’s Threat Hunting team spotted attackers leveraging the (then zero-day) vulnerability to saddle victims with the SmokeLoader malware.
The targets were employees in Ukrainian municipal organizations (e.g., Zalishchyky City Council) and Ukrainian businesses (e.g., the Zaporizhzhia Automobile Building Plant). The vector of infection was emails with malicious attachments sent from compromised email accounts belonging to Ukranian governing bodies (e.g., the State Executive Service of Ukraine).
“During this campaign, the threat actors implemented an additional layer of deception to manipulate users into executing the zero-day vulnerability CVE-2025-0411,” Girnus noted.
“By employing the Cyrillic character ‘Es’, the attackers designed an inner archive mimicking a .doc file. This strategy effectively misleads users into inadvertently triggering the exploit for CVE-2025-0411, resulting in the contents of the archive being released without MoTW protections. Consequently, this allows for the execution of JavaScript files (.js), Windows Script Files (.wsf), and Windows Shortcut files (.url).”
Trend Micro believes that the campaign was the work of Russian cybercrime groups, “with cyberespionage being the most likely purpose of these attacks as part of the ongoing Russo-Ukrainian conflict.”
What should organizations do?
Trend Micro reported the existence of the vulnerability to Igor Pavlov, the creator of 7-Zip, who fixed it in late November 2024 by releasing version 24.09 of the software.
Its existence was publicly revealed on January 19, 2025, and a Proof-of-Concept (PoC) exploit was made public soon after.
7-Zip users have been repeatedly urged to update the software to the latest version, as the tool does not have an auto-update feature.
Trend Micro also urges organizations to:
- Educate employees on the importance of MoTW and train them to recognize and report phishing attempts
- Implement email security measures to detect and block spear-phishing attacks
- Disable the automatic execution of files from untrusted sources and configure systems to prompt users for verification before opening such files
- Implement protection (domain and URL filtering) to detect and block homoglyph-based phishing attacks.