Russian Hackers Weaponize Critical 7-Zip Bug to Infiltrate Windows Security

Russian Hackers Weaponize Critical 7-Zip Bug to Infiltrate Windows Security

7-Zip Security Vulnerability Exploited to Deliver Malware in Ukraine

A critical security flaw in 7-Zip archiver software (CVE-2025-0411) has been actively exploited to distribute SmokeLoader malware, primarily targeting Ukrainian organizations. The vulnerability, rated with a CVSS score of 7.0, enables attackers to bypass Windows’ mark-of-the-web (MotW) security feature and execute malicious code.

The exploit, discovered in September 2024, involves a sophisticated double-archiving technique that circumvents MotW protections. Russian cybercrime groups leveraged this vulnerability through spear-phishing campaigns, using homoglyph attacks to disguise malicious files as legitimate documents.

Key Impact and Targets:
– Nine Ukrainian organizations affected, including:
– Ministry of Justice
– Kyiv Public Transportation Service
– Kyiv Water Supply Company
– City Council

Attack Method:
1. Phishing emails containing crafted archive files
2. Use of compromised Ukrainian government email accounts
3. Double-archived payloads bypassing security checks
4. Deployment of SmokeLoader malware disguised as PDF documents

The vulnerability has been patched in 7-Zip version 24.09 (November 2024). Security researcher Peter Girnus notes that smaller local government bodies, often lacking robust cybersecurity resources, were particularly targeted as potential pivot points to larger organizations.

Recommended Security Measures:
– Update to latest 7-Zip version
– Implement strong email filtering
– Disable execution of files from untrusted sources

Share This Article