{
	"id": "65fd6c05-ef47-43e1-be21-dfacee2d7b2c",
	"created_at": "2026-04-06T01:29:29.027707Z",
	"updated_at": "2026-04-10T03:20:52.506247Z",
	"deleted_at": null,
	"sha1_hash": "044e1a31eed468642beeebe951bd938da24dcccf",
	"title": "CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1861447,
	"plain_text": "CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day\r\nCampaign and Homoglyph Attacks\r\nBy Peter Girnus ( words)\r\nPublished: 2025-02-04 · Archived: 2026-04-06 01:28:39 UTC\r\nSummary\r\nIn September, 2024 the Trend Zero Day Initiative™ (ZDI) Threat Hunting team identified the exploitation\r\nof a 7-Zip zero-day vulnerability used in a SmokeLoader malware campaign targeting Ukrainian entities.\r\nThe vulnerability, CVE-2025-0411, was disclosed to 7-Zip creator Igor Pavlov, leading to the release of a\r\npatch in version 24.09 on November 30, 2024.\r\nCVE-2025-0411 allows the bypassing of Windows Mark-of-the-Web protections by double archiving files,\r\nthus preventing necessary security checks and allowing the execution of malicious content.\r\nThe vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns,\r\nusing homoglyph attacks to spoof document extensions and trick users and the Windows Operating System\r\ninto executing malicious files.\r\nThe vulnerability was likely exploited as a cyberespionage campaign against Ukrainian government and\r\ncivilian organizations as part of the ongoing Russo-Ukraine conflict.\r\nWe provide recommendations for organizations to proactively secure their systems. This includes updating\r\n7-Zip to at least version 24.09, implementing strict email security measures, and conducting employee\r\ntraining on phishing (including homoglyph attacks).\r\nIntroduction\r\nOn September 25, 2024, the Trend ZDI Threat Hunting team identified a zero-day vulnerability exploited in-the-wild and associated with the deployment of the loader malware known as SmokeLoader. This vulnerability is\r\nbelieved to be used by Russian cybercrime groups to target both governmental and non-governmental\r\norganizations in Ukraine, with cyberespionage being the most likely purpose of these attacks as part of the\r\nongoing Russo-Ukrainian conflict. The exploitation involves the use of compromised email accounts and a zero-day vulnerability existing in the archiver tool 7-Zip (CVE-2025-0411), which was manipulated through\r\nhomoglyph attacks (which we will also define and explain in this blog entry).\r\nFollowing initial analysis and the development of a proof-of-concept (PoC), we formally disclosed the\r\nvulnerability to Igor Pavlov, the creator of 7-Zip, on October 1, 2024. The issue was subsequently addressed, with\r\n7-Zip releasing a patch as part of version 24.09 on November 30, 2024.\r\nThis entry will first examine CVE-2025-0411 in a theoretical context, based on the PoC submitted to 7-Zip.\r\nSubsequently, we will analyze the real-world exploitation of this vulnerability as a zero-day in active use.\r\nCVE-2025-0411: 7-Zip Mark-of-the-Web Bypass Vulnerability\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 1 of 14\n\nWhen a user downloads a file from an untrusted source, such as the internet, Microsoft Windows implements a\r\nsecurity feature known as the Mark-of-the-Web (MoTW). This feature marks the local copy of the file by adding\r\nan NTFS Alternate Data Stream (ADS) named Zone.Identifier. Within this stream, the text ZoneId=3 is embedded,\r\nsignifying that the file came from an untrusted zone, specifically the internet. This ensures that untrsuted files are\r\nnot accidentally executed and allows the Windows operating system to perform extra security checks through\r\nMicrosoft Defender SmartScreen.\r\nCVE-2025-0411 allows threat actors to bypass Windows MoTW protections by double archiving contents using 7-\r\nZip. Double archiving involves incapsulating an archive within an archive.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 2 of 14\n\nAn MoTW designation helps prevent the automatic execution of potentially harmful scripts or applications by\r\nnotifying the system and user to treat the file with caution and then directing it to perform additional analysis via\r\nWindows Defender SmartScreen.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 3 of 14\n\nWindows MoTW is an important part of the Windows security architecture and is needed for other key Windows\r\nprotection mechanisms to function, such as:\r\nWindows Defender SmartScreen, which examines files based on reputation and signature.\r\nMicrosoft Office Protected View, which protects users from threats such as malicious macros and Dynamic\r\nData Exchange (DDE) attacks.\r\nThe root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MoTW\r\nprotections to the content of double-encapsulated archives. This allows threat actors to craft archives containing\r\nmalicious scripts or executables that will not receive MoTW protections, leaving Windows users vulnerable to\r\nattacks.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 4 of 14\n\nIn Figure 4, the poc.bat file has no MoTW protections since it is encapsulated inside the\r\npoc.outer.zip\\poc.inner.zip archive. This greatly increases the risk of infection and prevents Microsoft Windows\r\nDefender SmartScreen from performing reputation and signature checks.\r\nNow that we have covered a simple example of CVE-2025-0411, let’s examine how this vulnerability was\r\nexploited in the wild by Russian cybercrime groups.\r\nCVE-2025-0411 exploited as a Zero Day by Russian cybercrime groups\r\nAs mentioned in our introduction, we first uncovered this zero-day exploit in the wild on September 25, 2024.\r\nThis vulnerability was used to target both the Ukrainian government and other Ukrainian organizations in a\r\nSmokeLoader campaign that was likely deployed by Russian cybercrime groups.\r\nDuring our investigation, we uncovered emails originating from multiple Ukranian governing bodies and\r\nUkrainian business accounts targeting both Ukrainian municipal organizations and Ukrainian businesses.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 5 of 14\n\nIn Figure 6, we see a 7-Zip attachment (SHA256:\r\nba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826) coming from an email account\r\nbelonging to the State Executive Service of Ukraine (SES), a former organization within the Ukrainian executive\r\nbranch, that has now been merged with the Ukrainian Ministry of Justice. The recipient of this spear phishing\r\nemail is the helpdesk of the Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) — ZAZ being one of the\r\nlargest manufacturers of automobiles, trucks, and buses within Ukraine. For some regional context, the\r\nZaporizhzhia Oblast is an important industrial region within Ukraine which experienced some of the most intense\r\nfighting between Ukrainian and Russian forces since the start of the conflict in 2022. On March 3, 2022, the\r\nfighting culminated in the Russian capture of the Zaporizhzhia nuclear power plant, raising concerns about a\r\npotential nuclear meltdown. \r\nThis email was first uploaded to VirusTotal on September 25, 2024.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 6 of 14\n\nThe exploitation of CVE-2025-0411 via homoglyph attacks\r\nEarlier, we discussed a working PoC exploit of CVE-2025-0411 that used a nested archive structure such as\r\npoc.outer.zip/poc.inner.zip/poc.bat. In the samples we uncovered as part of the SmokeLoader campaign, the inner\r\nZIP archive deployed a homoglyph attack to spoof a Microsoft Windows Document (.doc) file.\r\nA homoglyph attack is a type of attack incorporating typographic manipulation using similar-looking characters to\r\nfool victims into clicking suspicious files or visiting malicious websites. These attacks are commonly used as part\r\nof phishing campaigns. where threat actors might use homoglyphs for spoofing legitimate websites to trick users\r\ninto entering their credentials for credential harvesting. These credentials would then be employed as a pivot point\r\nto further compromise an organization.\r\nAs an example, an attacker may use the Cyrillic letter Es (which looks exactly like the Latin letter С or с) in a\r\ndomain name such as api-miсrosoft[.]com, with “c” here being the “Es” character instead of the Latin one, to trick\r\nusers into trusting this domain —perhaps to lure them into entering sensitive details such as usernames and\r\npasswords.\r\nIn Figure 8, the potential for deception presented by homoglyph characters is clearly demonstrated. A fully\r\nspoofed Microsoft domain has been created by substituting the Latin character “C” with the Cyrillic character\r\n“Es” (C). This typographic manipulation effectively misleads individuals into believing that they are accessing a\r\nlegitimate Microsoft domain, thereby causing them to perceive the login screen as being part of an authentic site.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 7 of 14\n\nIn Figure 9, the actual Microsoft login domain is depicted, with the actual Latin \"C\" character.\r\nAlthough this domain features the TLS/SSL lock icon and the Microsoft favicon, these indicators alone are not\r\nalways enough for verifying the domain's authenticity. A comprehensive analysis of the TLS certificate and\r\nadditional technical specifics are often essential in substantiating the legitimacy of a domain. However, these\r\ntechnical elements can elude the average web user.\r\nHaving established an understanding of homoglyph attacks, let’s return to our analysis of the in-the-wild example.\r\nDuring this campaign, the threat actors implemented an additional layer of deception to manipulate users into\r\nexecuting the zero-day vulnerability CVE-2025-0411. By employing the Cyrillic character \"Es\", the attackers\r\ndesigned an inner archive mimicking a .doc file. This strategy effectively misleads users into inadvertently\r\ntriggering the exploit for CVE-2025-0411, resulting in the contents of the archive being released without MoTW\r\nprotections.  Consequently, this allows for the execution of JavaScript files (.js), Windows Script Files (.wsf), and\r\nWindows Shortcut files (.url). I\r\nUsing an example from the SmokeLoader campaign, Документи та платежи.7z\r\n(84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412), translating to “Documents and\r\npayments” in English, serves as the outer zip archive and Спiсок.doс\r\n(7786501e3666c1a5071c9c5e5a019e2bc86a1f169d469cc4bfef2fe339aaf384), translated to “List”, serves as the\r\ninner archive. This uses a homoglyph attack where the “c” in the “.doc” extension is a Cyrillic “Es” character.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 8 of 14\n\nIn Figure 10, we can see a side-by-side comparison of both outer and inner zip archives (which contain the 7-Zip\r\nmagic bytes \\x37\\x7A\\xBC\\xAF\\x27\\x1C). It is important to note that even though both archives happen to be 7-\r\nZip archives, it does not matter what archive format is used when it comes to the exploitation of CVE-2025-0411.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 9 of 14\n\nInside Спiсок.doс, the .url file Платежное Поручение в iнозеной валюте та сопроводiтельни документи вiд\r\n23.09.2024p.url  (2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5) points to an\r\nattacker-controlled server hosting another ZIP archive.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 10 of 14\n\nOnce Платежное Поручение в iнозеной валюте.pdf.exe is executed, the SmokeLoader payload is also then\r\nexecuted, leading to malware infection and full system compromise.\r\nKnown Ukrainian organizations affected or targeted by the zero-day exploit\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 11 of 14\n\nBased on the data we’ve uncovered, the following Ukrainian government entities and other organizations may\r\nhave been directly targeted and/or affected by this campaign:\r\nState Executive Service of Ukraine (SES) – Ministry of Justice\r\nZaporizhzhia Automobile Building Plant (PrJSC ZAZ) – Automobile, bus, and truck manufacturer\r\nKyivpastrans – Kyiv Public Transportation Service\r\nSEA Company – Appliances, electrical equipment, and electronics manufacturer\r\nVerkhovyna District State Administration - Ivano-Frankivsk oblast administration\r\nVUSA – Insurance company\r\nDnipro City Regional Pharmacy – Regional pharmacy\r\nKyivvodokanal – Kyiv Water Supply Company\r\nZalishchyky City Council – City council\r\nNote that this compilation of organizations impacted by the CVE-2025-0411 zero-day attack is not\r\ncomprehensive; there is a significant likelihood that additional organizations may have been affected or targeted\r\nby the perpetrators.\r\nIt appears that some of the compromised email accounts may have been acquired from prior campaigns, and it is\r\npossible that newly compromised accounts will be incorporated into future operations. The use of these\r\ncompromised email accounts lend an air of authenticity to the emails sent to targets, manipulating potential\r\nvictims into trusting the content and their senders.\r\nOne interesting takeaway we noticed in the organizations targeted and affected in this campaign is smaller local\r\ngovernment bodies. These organizations are often under intense cyber pressure yet are often overlooked, less\r\ncyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations have.\r\nThese smaller organizations can be valuable pivot points by threat actors to pivot to larger government\r\norganizations.\r\nRecommendations\r\nTo minimize the risks associated with CVE-2025-0411 and similar vulnerabilities, we recommend that\r\norganizations adhere to the following best practices:\r\nEnsure that all instances of 7-Zip are updated to version 24.09 or later. This version addresses the CVE-2025-0411 vulnerability.\r\nImplement strict email security measures, including the use of email filtering and anti-spam technologies to\r\ndetect and block spear-phishing attacks.\r\nTrain employees to recognize and report phishing attempts. Regularly update them on the latest phishing\r\ntactics, including homoglyph attacks on files and filetypes, as discussed in this entry.\r\nEducate users on zero-day and n-day vulnerabilities and their role in preventing their exploitation.\r\nEducate users on the importance of MoTW and its role in preventing the automatic execution of potentially\r\nharmful scripts or applications.\r\nDisable the automatic execution of files from untrusted sources and configure systems to prompt users for\r\nverification before opening such files.\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 12 of 14\n\n·Implement domain filtering and monitoring to detect and block homoglyph-based phishing attacks.\r\nUse URL filtering to block access to known malicious domains and regularly update blacklists with newly\r\nidentified threat domains.\r\n \r\nTrend Vision One™\r\nTrend Vision One™one-platform is a cybersecurity platform that simplifies security and helps enterprises detect\r\nand stop threats faster by consolidating multiple security capabilities, enabling greater command of the\r\nenterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform\r\nleverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to\r\nprovide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a\r\nsingle solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen\r\nand allows them to prepare for emerging threats by offering comprehensive information on threat actors, their\r\nmalicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to\r\nprotect their environments, mitigate risks, and effectively respond to threats.\r\nCVE-2025-0411: Analysis of a Zero-Day Vulnerability and its Use in Cyber Espionage\r\n \r\nTrend Vision One Threat Insights App\r\n Emerging Threats: CVE-2025-0411: Analysis of a Zero-Day Vulnerability and its Use in Cyber Espionage\r\n \r\nHunting Queries\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.   \r\nmalName:*SMOKELOADER* AND eventName:MALWARE_DETECTION AND LogType: detection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement\r\nenabledproducts.\r\nConclusion\r\nIt is important that everyone using 7-Zip update to 7-Zip version 24.09 immediately, especially since CVE-2025-\r\n0411 has been under active exploitation since at least September 2024, with PoC concepts existing as well.\r\nThe exploitation of CVE-2025-0411 signifies another instance of a zero-day vulnerability being used in the\r\ncontext of the ongoing cyber front of the Russo-Ukrainian conflict. This situation illustrates the dynamic nature of\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 13 of 14\n\nthe current cyber conflict, particularly the employment of advanced zero-day deployment techniques, notably\r\nthrough homoglyph attacks.\r\nTo the best of our knowledge, this represents the first occasion in which a homoglyph attack has been integrated\r\ninto a zero-day exploit chain, thereby elevating concerns regarding the progression of such attacks beyond\r\ntraditional methods such as credential harvesting, phishing, and website spoofing.\r\nFurthermore, this campaign highlights the need for organizations to enhance their cybersecurity training programs\r\nby incorporating an understanding of homoglyph attacks, especially in relation to files, file extensions, and zero-day exploitation rather than limiting the focus to web spoofing alone. The Trend ZDI Threat Hunting team\r\nengages in proactive efforts to identify zero-day exploitation in the wild, therefore safeguarding organizations\r\nagainst real-world threats prior to vendor awareness.\r\nWe’ll be back with more findings as we have them. Until then, you can follow the Trend ZDI team on Twitter,\r\nMastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nhttps://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html"
	],
	"report_names": [
		"cve-2025-0411-ukrainian-organizations-targeted.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438969,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/044e1a31eed468642beeebe951bd938da24dcccf.pdf",
		"text": "https://archive.orkl.eu/044e1a31eed468642beeebe951bd938da24dcccf.txt",
		"img": "https://archive.orkl.eu/044e1a31eed468642beeebe951bd938da24dcccf.jpg"
	}
}