A Russian hacking campaign has exploited a vulnerability in a popular file archiver to infect Ukrainian government and private organizations with SmokeLoader malware, researchers have found.
The bug, tracked as CVE-2025-0411, was discovered in 7-Zip, a free and open-source file archiver developed by Russian programmer Igor Pavlov. It was identified by researchers at Tokyo-based cybersecurity firm Trend Micro in September and patched two months later, giving hackers ample time to exploit it in the wild. The flaw allows attackers to bypass a Windows security feature known as Mark-of-the-Web protection, which flags files downloaded from the internet as potentially unsafe. SmokeLoader is known for its ability to extract crucial device information, including operating system details and location data.
Trend Micro reports that Russian cybercriminals actively exploited the vulnerability in unpatched versions of 7-Zip to breach Ukrainian organizations, including one of the country’s largest automobile and truck manufacturers, a public transportation service, a regional pharmacy and a water supply company.
SmokeLoader typically has been deployed by financially motivated Russian hackers in the past. The likely goal of this campaign, however, was cyber-espionage, Trend Micro said. Researchers and intelligence agencies have noted particularly since the start of the war in Ukraine that Russian cybercriminals have supported the Kremlin.
The attackers used phishing emails designed to mimic communications from various Ukrainian government agencies and businesses to trick victims into opening them. Some compromised email accounts may have been obtained through previous cyberattacks, researchers said. The phishing emails contained malicious attachments that, when opened, exploited the 7-Zip vulnerability, allowing hackers to further infiltrate systems.
SmokeLoader has been widely used by Russia-linked hackers in attacks against Ukrainian state and financial institutions. According to previous reports, the malware has been advertised on underground forums since 2011. In the latest SmokeLoader campaign, hackers targeted, among others, smaller local government bodies, which are often “overlooked, less cyber-savvy, and lack the resources for a comprehensive cybersecurity strategy,” researchers said. “These smaller organizations can be valuable pivot points for threat actors to infiltrate larger government entities,” they added.
In a separate report on 5 February that India-based cybersecurity company CloudSek identified another SmokeLoader target: Ukraine’s largest bank, PrivatBank. The suspected hackers behind the campaign, tracked as UAC-0006, have been targeting PrivatBank customers since at least November 2024. Their phishing emails contained password-protected attachments, which are more likely to evade email security checks. PrivatBank has not responded to Recorded Future News’ request for comment on the reported attacks. According to researchers, UAC-0006’s tactics overlap with those of FIN7, a notorious Russian advanced persistent threat (APT) group that has primarily targeted the US retail, restaurant, and hospitality sectors since mid-2015. It remains unclear whether the campaigns described by Trend Micro and CloudSek are connected or what their impact has been on the targeted organizations.
Researchers warn that victims of such attacks risk exposing sensitive personal or corporate data, including credentials, financial information, and organizational secrets, which could be exploited for further attacks or sold on underground markets.
Related Article: https://redskyalliance.org/xindustry/smokeloader-malware
Source: Russian Hackers Exploited 7-Zip Zero-Day Against Ukraine - SecurityWeek
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments