A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.
The Mark of the Web is a Windows security feature designed to warn users that the file they’re about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim’s machine without a warning.
Hackers leveraged CVE-2025-0411 using double archived files (an archive within an archive) to exploit a lack of inheritance of the MoTW flag, resulting in malicious file execution without triggering warnings.
The specially crafted archive files were sent to targets via phishing emails from compromised Ukrainian government accounts to bypass security filters and appear legitimate.
Utilizing homoglyph techniques, the attackers hid their payloads within the 7-Zip files, making them appear harmless Word or PDF documents.
7-Zip addressed the risks via a patch implemented in version 24.09, released on November 30, 2024. However, as 7-Zip does not include an auto-update feature, it is common for 7-Zip users to run outdated versions.
as 7-Zip does not include an auto-update feature, it is common for 7-Zip users to run outdated versions.
Windows and promoting horrible computer practices, a match made in heaven.
Well if 7-Zip followed modern Microsoft recommended practices, they would publish their program as a UWP app on the Microsoft Store, which would automatically update. But a lot of people don’t like Microsoft Store Universal Windows Platform apps and prefer installing exe’s.
Utilizing homoglyph techniques, the attackers hid their payloads within the 7-Zip files, making them appear harmless Word or PDF documents.
lol, get owned if you open an Office doc from your email.
Markdown stays winning
If you are a windows user I recommend using Chocolatey or something similar to manage packages like 7zip
Winget is the native package manager built into the OS it works decently
Oh that the thing where they copied AppGet after ghosting its creator!
I think at least it doesn’t run any packages scripts for installation. Probably the better choice than Chocolatey, especially for people with nation state adversaries.
Yeah winget works pretty well. There is a utility I have on my PC called Top Grade which finds all package managers and windows update and runs them all for you.
topgrade does Windows Update on Windows? I swear it supports everything.
if 7zip or VLC or whatever ever get me killed…
what a world we live in
And to think, if some unsuspecting Ukranian beauracrat just had the self control to not click on the “Meet Russian Singles in Your Area!” email while at work. I would have never learned this fact.
smdh
