Skip to content
0-DAY

7-Zip 0-day was exploited in Russia’s ongoing invasion of Ukraine

Vulnerability stripped MotW tag Windows uses to flag Internet-downloaded files.

Dan Goodin | 41
Credit: Getty Images
Credit: Getty Images

Researchers said they recently discovered a zero-day vulnerability in the 7-Zip archiving utility that was actively exploited as part of Russia's ongoing invasion of Ukraine.

The vulnerability allowed a Russian cybercrime group to override a Windows protection designed to limit the execution of files downloaded from the Internet. The defense is commonly known as MotW, short for Mark of the Web. It works by placing a “Zone.Identifier” tag on all files downloaded from the Internet or from a networked share. This tag, a type of NTFS Alternate Data Stream and in the form of a ZoneID=3, subjects the file to additional scrutiny from Windows Defender SmartScreen and restrictions on how or when it can be executed.

There’s an archive in my archive

The 7-Zip vulnerability allowed the Russian cybercrime group to bypass those protections. Exploits worked by embedding an executable file within an archive and then embedding the archive into another archive. While the outer archive carried the MotW tag, the inner one did not. The vulnerability, tracked as CVE-2025-0411, was fixed with the release of version 24.09 in late November.

Tag attributes of outer archive showing the MotW. Credit: Trend Micro
Attributes of inner-archive showing MotW tag is missing. Credit: Trend Micro

Ars Video

 

“The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MoTW protections to the content of double-encapsulated archives,” wrote Peter Girnus, a researcher at Trend Micro, the security firm that discovered the vulnerability. “This allows threat actors to craft archives containing malicious scripts or executables that will not receive MoTW protections, leaving Windows users vulnerable to attacks.”

To better disguise the attacks, the extension of the executable files was rendered with what are known as homoglyphs. These are characters that aren’t part of the ASCII standard, even though they appear to be identical or similar to certain ASCII characters. An example is the Cyrillic С. It appears to be identical to the ASCII character C but in fact has no connection to it, as each is part of entirely different encoding schemes. Hackers have used homoglyphs for years to spoof domains for sensitive websites.

The threat actors exploiting the 7-Zip zero-day used homoglyphs in a similar way to make executable files appear to be document files. The double-archived files were attached to emails sent from genuine compromised accounts belonging to real Ukrainian government agencies. Girnus said the following agencies were targeted:

Anyone using 7-Zip, particularly on Windows, should ensure they’re using the latest version, which at the moment is 24.09.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
41 Comments
Staff Picks
N
Needleroozer
Just curious how this works. If certain files are to be recognised as executable (eg for double clicking) they need to be associated by a correct file extension to them that executes the linked action (opening a file in a program or executing it).

While changing the extension with different but similarly looking characters, would that not break the link to the associated program or the fact that Windows recognises it as executable in the first place (for double clicking)?

Windows commonly hides file extensions, so you can have a .pdf.exe that will show as being a .pdf. With a properly set file icon, it’ll look like a PDF but actually launch the executable.

However, the actual attack chain here is a little more clever than that, as detailed by the Trend Micro writeup (original file names are paraphrased in brackets):

1. {Documents and Payments}.7z is the outer 7z archive, which gets the MoTW flag and contains:
2. {List}.doc (with the c being a Cyrillic character) is an inner 7z archive to which the MoTW flag does not propagate. It in turn holds:
3. {Payment Order and Attachments}.url, which gets auto-opened thanks to the lack of MoTW (other files that can be auto-opened are .js (JavaScript) and .wsf (Windows Script File)). This file then reaches out to an attacker-controlled server to pull down:
4. invoce.zip, which has now avoided MoTW flagging entirely and contains:
5. {Payment Order}.pdf.exe, the actual malware payload.

Note that there are several points at which a user could go, “hmm, this is weird; I’m going to stop clicking on these files,” but all the files upon which the user clicks do look legitimate (besides the final one, whose .exe extension may or may not be hidden based on Windows settings).
g
gothburz
Hi all! I'm the threat hunter who found this vulnerability. There is some confusion as to the file extension and execution. The second archive file starts with a Cyrillic "Es" character, in-the-wild the file extension is .do[es]/.doc. Where [es] is the placeholder for the Cyrillic character which looks like a Latin "c" character. In many cases commonly used extensions are tied to applications which will open these files by default. Since .do[es] is not tied to any program Windows doesn't know how to handle it. Now the interesting thing is 7-ZIP will not only look at the file extension BUT the files magic bytes "\x37\x7A\xBC\xAF \x27 \x1C" in the header. Recognizing the 7-Zip magic bytes, 7-Zip will then proceed to process this file as an archive, the contents of which will not receive mark-of-the-web protections due to CVE-2025-0411.
Prev story
Next story