Russian Hackers Exploit Zero-Day Attacks Against Ukraine

A critical vulnerability in the popular file archiving software 7-Zip has been exploited by Russian threat actors in zero-day attacks targeting Ukraine since September 2024. This flaw, identified as CVE-2025–0411, enables attackers to bypass the Mark of the Web (MoTW) Windows security feature, allowing malicious files to execute without user warnings. Trend Micro researchers have linked this exploitation to campaigns distributing the SmokeLoader malware, primarily affecting Ukrainian government institutions and private sector organizations.

The Mark of the Web (MoTW) is a vital Windows security mechanism designed to protect users from executing potentially harmful files originating from untrusted sources. When files are downloaded from the internet or received as email attachments, Windows appends a special ‘Zone.Id’ alternate data stream — the MoTW — to the file. This tag prompts additional warnings when the user attempts to open the file, providing a layer of defense against malware.

For example, when opening documents in Microsoft Word or Excel with an MoTW flag, users receive security alerts, and macros are disabled by default…