CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks www.trendmicro.com/en_us/res…

On September 25, 2024, the Trend Micro Zero Day Initiative (ZDI) Threat Hunting team identified a zero-day vulnerability exploited in-the-wild and associated with the deployment of the loader malware known as SmokeLoader. This vulnerability is believed to be used by Russian cybercrime groups to target both governmental and non-governmental organizations in Ukraine, with cyberespionage being the most likely purpose of these attacks as part of the ongoing Russo-Ukrainian conflict. The exploitation involves the use of compromised email accounts and a zero-day vulnerability existing in the archiver tool 7-Zip (CVE-2025-0411), which was manipulated through homoglyph attacks (which we will also define and explain in this blog entry).

Following initial analysis and the development of a proof-of-concept (PoC), we formally disclosed the vulnerability to Igor Pavlov, the creator of 7-Zip, on October 1, 2024. The issue was subsequently addressed, with 7-Zip releasing a patch as part of version 24.09 on November 30, 2024. This entry will first examine CVE-2025-0411 in a theoretical context, based on the PoC submitted to 7-Zip. Subsequently, we will analyze the real-world exploitation of this vulnerability as a zero-day in active use.