A recently discovered flaw in the popular 7-Zip file archiver tool (CVE-2025-0411) has been actively exploited by cybercriminals to deliver the SmokeLoader malware. This is accomplished by defeating the 7-Zip MoTW protection. The vulnerability, patched in November 2024, allows attackers to bypass Microsoft’s “Mark of the Web” (MotW) protections and execute malicious code on Windows systems.
The initial attack vector is a phishing email containing a tailored 7-Zip file that tricks users. Once the file is extracted, it has a second ZIP file, which includes a PDF file containing the malware. This PDF contains the SmokeLoader malware.
This is not a new technique but something we have seen. The main difference is that this time, the final file is buried behind two compression layers, allowing it to bypass the MotW protection layer. This weakness has been used in spear-phishing campaigns aimed at Ukrainian organizations, including government entities like the Ministry of Justice and Kyiv Water Supply Company.
To stay safe, we should make sure that we download the latest version of 7-Zip ( at the time of this writing, 24.09); any version afterward will include the fix. Nevertheless, if you want to know If it has been bypassed the 7-Zip MoTW protection on your environment you can look at the following IOCs.
For the Security teams:
We can look for some of the Hashes that are known to contain the malicious file:
Malicious Executable (SHA256): a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2
7-Zip Archive (SHA256): ba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826
For the End Users:
Look for suspicious 7-Zip archive filenames, often with Cyrillic characters used in filenames or extensions:
- Example:
Документи та платежи.7z(Outer archive) - Example:
Спiсок.doс(Inner archive using a Cyrillic “Es” instead of a Latin “C”).
File Extensions: Pay attention to files with deceptive extensions or file types:
.url files designed to look like valid document files but point to attacker-controlled servers (e.g., Платежное Поручение в iнозеной валюте та сопроводiтельни документи вiд 23.09.2024p.url).
.exe files disguised as .pdf (e.g., Платежное Поручение в iнозеной валюте.pdf.exe).
Sources:
https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html
What’s New With Separ Malware Family in 2024 – Hacker Combat. https://www.hackercombat.com/whats-new-with-separ-malware-family/
https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html