Recently fixed Safety vulnerability The 7-Zip Archiver tool was used in the wild to deliver Diplomat malicious software.
The deficiency Cve-2025-0411 (CVSS assessment: 7.0), allows the distant attackers to bypass the Mark-Warriors (Strong) Protection and execute an arbitrary code in the context of the current user. It was addressed to 7-ZIP in November 2024 with Version 24.09.
“The vulnerability is actively exploited – Note.
It is suspected that the CVE-2025-0411 is probably armed with focused state and non-governmental organizations in Ukraine as part of a cyber-spy-based campaign established against the background of the current conflict of Russ-Ukraine.
Motw is a security feature implemented by Microsoft in Windows to prevent automatic execution of files downloaded from the Internet without following the Microsoft Defender Smartscreen checks.
Cve-2025-0411 bypasses Motw by double archivated contents with 7-ZIP, ie, creating an archive and then the archive archive to hide the harmful useful loads.
“The root cause of the CVE-2025-0411 is that the version 24.09 7-ZIP did not properly distribute the defense of Motw to the content of two-capsulated archives,” Girnus explained. “This allows the subjects to develop archives containing malicious scenarios or executed files that will not be defended by Motw, leaving Windows users vulnerable to the attacks.”
Attacks that use a downside as a zero day were first discovered in the wild on September 25, 2024, with the sequence of infection lead to Smokeloader, malicious software for loading repeatedly used to target Ukraine.
The starting point is a phishing email containing a specially thought -out archive file, which in turn uses the Homoglyph attack to transfer the internal archive of Zip as a Microsoft Word document file, effectively causing vulnerability.
Phishing messages in the trend have been sent from the addresses of e -mail related to Ukrainian bodies and business accounts of both municipal organizations and enterprises, which suggests a preliminary compromise.
“The use of these compromised accounts by email gives authenticity to the target, manipulating potential victims to trust the content and their sender,” Girnus said.
This approach leads to the execution of the Internet Yarlack file (.URL), which is present in the ZIP archive, which points to the server controlled by the attacker, which places another ZIP file. The recently loaded Zip contains the executable File Smokeloader, which is disguised in the PDF document.
At least nine Ukrainian state organizations and other organizations were evaluated on the influence of the campaign, including the Ministry of Justice, the public transport service, the water supply campaign of Kiev and the city council.
In the light of CV-2025-0411, the active operation of CVE-2025-0411 is recommended to update their settings to the latest version, to implement e-mail filtering features to block phishing attempts and disable file execution from unverified sources.
“One interesting conclusion we have noticed in organizations sent and affected by this campaign is smaller bodies of local self -government,” Girnus said.
“These organizations are often under intense cyber-tip, but often ignored, less cyber-cellar, and there is not enough resources for comprehensive cyber strategy, which are large state organizations. These smaller organizations can be valuable scores by threatening actors who apply to a larger government government. “
