Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Summary:
Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection. In September, 2024, CVE-2025-0411 was observed being exploited in a SmokeLoader campaign to target Ukrainian government and civilian organizations as part of the ongoing Russo-Ukraine conflict. The flaw in question bypasses the Windows' Mark-of-the-Web (MoTW) security mechanism, which typically flags file downloads from untrusted sources for additional security checks. This bypass was identified in earlier versions of 7-Zip which failed to propagate the MoTW flag when files were extracted from nested archives.
Security Officer Comments:
By double archiving files, attackers have been able to bypass MoTW security checks, enabling them to execute malicious content on targeted systems. According to Trend Micro, CVE-2025-0411 has been actively exploited in spear-phishing campaigns that use homoglyph attacks to spoof document extensions, deceiving both users and the Windows Operating System into executing malicious files.
“These attacks are commonly used as part of phishing campaigns. where threat actors might use homoglyphs for spoofing legitimate websites to trick users into entering their credentials for credential harvesting. These credentials would then be employed as a pivot point to further compromise an organization. As an example, an attacker may use the Cyrillic letter Es (which looks exactly like the Latin letter С or с) in a domain name such as api-miсrosoft[.]com, with “c” here being the “Es” character instead of the Latin one, to trick users into trusting this domain —perhaps to lure them into entering sensitive details such as usernames and passwords,” note researchers in their new blog post.
Suggested Corrections:
Recommendations from Trend Micro:
https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection. In September, 2024, CVE-2025-0411 was observed being exploited in a SmokeLoader campaign to target Ukrainian government and civilian organizations as part of the ongoing Russo-Ukraine conflict. The flaw in question bypasses the Windows' Mark-of-the-Web (MoTW) security mechanism, which typically flags file downloads from untrusted sources for additional security checks. This bypass was identified in earlier versions of 7-Zip which failed to propagate the MoTW flag when files were extracted from nested archives.
Security Officer Comments:
By double archiving files, attackers have been able to bypass MoTW security checks, enabling them to execute malicious content on targeted systems. According to Trend Micro, CVE-2025-0411 has been actively exploited in spear-phishing campaigns that use homoglyph attacks to spoof document extensions, deceiving both users and the Windows Operating System into executing malicious files.
“These attacks are commonly used as part of phishing campaigns. where threat actors might use homoglyphs for spoofing legitimate websites to trick users into entering their credentials for credential harvesting. These credentials would then be employed as a pivot point to further compromise an organization. As an example, an attacker may use the Cyrillic letter Es (which looks exactly like the Latin letter С or с) in a domain name such as api-miсrosoft[.]com, with “c” here being the “Es” character instead of the Latin one, to trick users into trusting this domain —perhaps to lure them into entering sensitive details such as usernames and passwords,” note researchers in their new blog post.
Suggested Corrections:
Recommendations from Trend Micro:
- Ensure that all instances of 7-Zip are updated to version 24.09 or later. This version addresses the CVE-2025-0411 vulnerability.
- Implement strict email security measures, including the use of email filtering and anti-spam technologies to detect and block spear-phishing attacks.
- Train employees to recognize and report phishing attempts. Regularly update them on the latest phishing tactics, including homoglyph attacks on files and filetypes, as discussed in this entry.
- Educate users on zero-day and n-day vulnerabilities and their role in preventing their exploitation.
- Educate users on the importance of MoTW and its role in preventing the automatic execution of potentially harmful scripts or applications.
- Disable the automatic execution of files from untrusted sources and configure systems to prompt users for verification before opening such files.
- ·Implement domain filtering and monitoring to detect and block homoglyph-based phishing attacks.
- Use URL filtering to block access to known malicious domains and regularly update blacklists with newly identified threat domains.
https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html