# **7-Zip Security Flaw Utilized to Evade Windows Protection Measures**
## **Overview**
A newly identified zero-day security flaw in the widely used 7-Zip archiving software has been leveraged by Russian hackers to circumvent Windows security safeguards. This vulnerability enabled attackers to remove the “Mark of the Web” (MotW) label from files downloaded, effectively escaping detection by Windows Defender SmartScreen and other protective mechanisms. The vulnerability, identified as **CVE-2025-0411**, has been actively exploited in attacks against Ukrainian entities amid the ongoing invasion by Russia.
## **Insights into the Mark of the Web (MotW)**
The **Mark of the Web (MotW)** is a protective feature in Windows that indicates files downloaded from the internet or network shares. Upon download, Windows attaches a **Zone.Identifier** tag, namely **ZoneID=3**, which enforces additional evaluation. This system is designed to prevent the execution of potentially harmful files by limiting their permissions and issuing security alerts.
However, the recent vulnerability in **7-Zip** permitted attackers to bypass this safeguard by incorporating an executable file within a **double-archived** format.
## **Mechanism of Exploitation of the 7-Zip Vulnerability**
The exploitation operated by housing an executable file within an archive, which was then nested inside another archive. The **outer archive** maintained the MotW tag, but the **inner archive** did not. Consequently, when users extracted the inner archive, the embedded executable file was **not recognized** as coming from an untrusted source.
This flaw allowed attackers to disseminate malware without eliciting Windows security alerts, simplifying the execution of harmful payloads.
### **Technical Analysis**
– The vulnerability was found in **7-Zip versions earlier than 24.09**.
– The **MotW tag was improperly propagated** to files contained within doubly encapsulated archives.
– Attackers employed **homoglyphs** (characters that look alike but differ) to mask executable files as safe documents.
– Malicious files were sent via **phishing emails** originating from hijacked Ukrainian government accounts.
## **Identified Targets**
The cybercriminals involved in this operation targeted Ukrainian organizations such as:
– **State Executive Service of Ukraine (SES)** – Ministry of Justice
– **Zaporizhzhia Automobile Building Plant (PrJSC ZAZ)** – Vehicle manufacturer
– **Kyivpastrans** – Kyiv Public Transportation Service
– **SEA Company** – Electronics manufacturer
– **Verkhovyna District State Administration** – Ivano-Frankivsk oblast administration
– **VUSA** – Insurance company
– **Dnipro City Regional Pharmacy** – Regional pharmacy
– **Kyivvodokanal** – Kyiv Water Supply Company
– **Zalishchyky City Council** – City council
These entities were pursued through phishing emails containing harmful **double-archived** files.
## **Measures and Suggestions**
To guard against this vulnerability, users are advised to:
1. **Update 7-Zip Promptly** – The issue was addressed in **7-Zip version 24.09**, which was released in late November 2024.
2. **Activate Advanced Security Features** – Utilize **Windows Defender SmartScreen** and **Microsoft Defender for Endpoint** to identify suspicious files.
3. **Exercise Caution with Email Attachments** – Refrain from opening **double-archived** files from unknown or unanticipated senders.
4. **Check File Extensions** – Be vigilant for homoglyph-based file names that may misrepresent executables as documents.
5. **Consider Alternative Archiving Tools** – Explore other archiving software that incorporates enhanced security protocols.
## **Final Thoughts**
The **7-Zip CVE-2025-0411 security flaw** draws attention to the adaptive strategies of cybercriminals in evading protective measures. By exploiting a weakness in the file archiving process, attackers successfully bypassed Windows security and propagated malware undetected. It is imperative for organizations and individuals to remain alert, keep their software updated, and adhere to cybersecurity best practices to address such vulnerabilities.
