Russian threat groups have conducted cyberespionage campaigns against government entities in Ukraine exploiting a zero-day vulnerability in the 7-Zip archiver tool, Trend Micro reports.

Tracked as CVE-2025-0411 (CVSS score of 7.0), the exploited flaw was discovered in September 2024 and patched two months later, in 7-Zip version 24.09.

The bug is described as a bypass of the Mark-of-the-Web (MoTW) protection mechanism, which was introduced in Windows to flag files downloaded from untrusted sources to prevent their automatic execution and warn users of potential risks.

Support for MoTW was introduced in 7-Zip in June 2022, but the tool did not propagate the MoTW to the files extracted from an archive. This allowed attackers to double-archive malicious files that would bypass the protection mechanism if a user could be convinced to extract the files and open them.

“An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user,” a Zero Day Initiative advisory reads.

Now, Trend Micro reveals that CVE-2025-0411 has been exploited in the wild, in a SmokeLoader campaign targeting Ukrainian government entities and other organizations in the country, likely for cyberespionage.

As part of the attacks, believed to have been orchestrated by unnamed Russian cybercrime groups, compromised email accounts were used to send crafted archives exploiting the zero-day defect using a homoglyph attack technique.

Trend Micro identified emails originating from compromised Ukrainian governing bodies and business accounts, such as the State Executive Service of Ukraine (SES), which is part of the Ukrainian Ministry of Justice. Some of the accounts were likely compromised in previous campaigns.

The cybersecurity firm also discovered that one of the inner archives used in the campaign relied on a homoglyph attack to spoof a Word file (.doc) and trick the intended victim into opening the archive and executing the malicious files within.

“By employing the Cyrillic character ‘Es’, the attackers designed an inner archive mimicking a .doc file. This strategy effectively misleads users into inadvertently triggering the exploit for CVE-2025-0411, resulting in the contents of the archive being released without MoTW protections,” Trend Micro explains.

Ukrainian entities targeted in this campaign likely include SES, the Zaporizhzhia automobile building plant (PrJSC ZAZ), Kyivpastrans and Kyivvodokanal (Kyiv’s public transportation and water supply services), SEA (electric and electronic equipment and appliances manufacturer), the Verkhovyna district state administration, VUSA (insurance organization), the Dnipro city regional pharmacy, and the Zalishchyky city council.

“Note that this compilation of organizations impacted by the CVE-2024-0411 zero-day attack is not comprehensive; there is a significant likelihood that additional organizations may have been affected or targeted by the perpetrators,” Trend Micro notes.

The attackers focused on targeting smaller local government bodies, likely because they often lack the necessary resources and knowledge to stay protected, and because they could then be leveraged as pivot points into larger government organizations, the cybersecurity firm says.

Related: European Union Sanctions Russian Nationals for Hacking Estonia

Related: NATO to Establish New Cyber Center in Belgium

Related: Russian Court Remands Hackers in Custody

Related: Report: Russian Hackers Exploit Lithuanian Infrastructure