CVE-2025-0411 Detection: russian Cybercrime Groups Rely on Zero-Day Vulnerability in 7-Zip to Target Ukrainian Organizations

Since a full-scale invasion of Ukraine, cybercriminal groups of russian origin have relentlessly targeted the Ukrainian state bodies and business sectors for espionage and destruction. Recently, cybersecurity researchers uncovered a massive cyber-espionage campaign exploiting a 7-Zip zero-day vulnerability to deliver SmokeLoader malware. The campaign’s ultimate objective was cyber espionage, intensifying the digital frontlines of the ongoing war in Ukraine.

Detect CVE-2025-0411 Exploitation Attempts

The increasing volumes of cyber-espionage campaigns against Ukraine and its allies stand out as a significant aspect of the current cyber threat landscape. A recently uncovered large-scale operation further underscores this danger, exploiting a zero-day flaw in the open-source 7-Zip utility widely leveraged by global organizations. 

The CVE-2025-0411 flaw enables remote attackers to bypass Mark-of-the-Web (MotW) protections and execute arbitrary code within the context of the current user, ultimately leading to SmokeLoader infections. Given the pattern of russian threat actors testing malicious tactics in Ukraine before extrapolating them to global targets, security teams should act proactively. 

SOC Prime Platform for collective cyber defense aggregates a set of curated Sigma rules addressing the latest zero-day campaign by russia-linked cybercrime groups targeting Ukraine and exploiting CVE-2025-0411 to spread SmokeLoader. Hit the Explore Detections below to immediately drill down to access the rules.

Explore Detections

The detections are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework to streamline threat investigation. Additionally, each Sigma rule is enriched with extensive metadata, including CTI references, attack timelines, triage recommendations, and more. 

To proceed with the investigation, security experts might also launch instant hunts using IOCs provided in the corresponding Trend Micro research. Rely on SOC Prime’s Uncoder AI to create custom IOC-based queries in a matter of seconds and automatically work with them in your chosen SIEM or EDR environment. Previously exclusive to corporate clients, Uncoder AI is now open to individual researchers at its full power. Check out the details here.

CVE-2025-0411 Analysis

In the early fall of 2024, defenders uncovered the exploitation of a 7-Zip zero-day vulnerability known as CVE-2025-0411. The flaw has been leveraged in a SmokeLoader malware campaign against Ukrainian entities. 

CVE-2025-0411, with a CVSS score of 7.0, enables remote attackers to evade Windows MotW protections and run arbitrary code with the current user’s privileges. The vendor resolved this issue in November 2024 with the release of version 24.09. However, the recently patched flaw has been actively weaponized to distribute SmokeLoader. Notably, in active real-world campaigns against Ukraine, hackers are taking advantage of SmokeLoader, a widely used offensive tool from the arsenal of infamous Russia-linked hacking groups, such as UAC-0006.

The vulnerability has likely been used as part of a cyber-espionage campaign targeting the Ukrainian state bodies and civilian entities, aligning with the broader russia-Ukrainian conflict. The underlying issue in CVE-2025-0411 is that, before the patched version 24.09, the vendor failed to correctly apply MoTW protections to files within double-encapsulated archives. This flaw gives hackers the green light to create archives with malicious scripts or executables that evade MoTW security measures, exposing Windows users to potential threats.

The release of a functional PoC exploit for CVE-2025-0411 has increased the risk of infections. In the ongoing SmokeLoader campaign, the inner ZIP archive employed a homoglyph attack to masquerade a malicious file as .doc. Homoglyph attacks are known to be frequently used in phishing campaigns. In the latest SmokeLoader campaign, russia-affiliated hackers added an extra layer of deception to lure victims into exploiting CVE-2025-0411. By using the Cyrillic character “Es”, they crafted an inner archive that mimicked a .doc file, effectively misleading users into unknowingly triggering the exploit. 

Notably, some affected email accounts may have been obtained from previous campaigns, and newly compromised accounts could be used in future attacks, making emails appear more legitimate and increasing the chances of victim manipulation. Another observation from this campaign is the adversary’s focus on local state bodies, which are often under cyber pressure, less equipped, and more vulnerable, serving as access points for adversaries to infiltrate larger public sector organizations.

As potential CVE-2025-0411 mitigation measures, organizations should promptly apply the product updates to version 24.09 or newer, enforce robust email security to prevent spear-phishing, and enhance cybersecurity awareness to timely identify phishing attempts, including homoglyph attacks. SOC Prime Platform for collective cyber defense equips security teams with an enterprise-ready, future-proof product suite to proactively defend against emerging threats, including CVEs exploited in in-the-wild attacks, while helping progressive organizations adopt a robust cybersecurity strategy.