SmokeLoader Malware Exploits 7-Zip Flaw to Target Ukrainian Industries

A newly discovered vulnerability in the 7-Zip file archiver has been exploited by Russian hackers to deliver SmokeLoader malware to Ukrainian government agencies and private companies, according to cybersecurity researchers.

The flaw, tracked as CVE-2025-0411, was identified by Trend Micro in September 2024 and patched two months later. However, hackers took advantage of the delay, using it to bypass Windows’ Mark-of-the-Web security protections and deploy SmokeLoader, a malware known for gathering system and location data.

Trend Micro reports that affected organizations include a major Ukrainian automobile manufacturer, a public transport provider, a pharmacy chain, and a regional water supplier. The attackers used phishing emails impersonating Ukrainian government agencies to distribute malicious attachments exploiting the 7-Zip vulnerability.

While SmokeLoader has previously been linked to financially motivated Russian hackers, experts believe this campaign was focused on cyber-espionage. Russian cybercriminals have increasingly aligned with Kremlin interests, particularly since the invasion of Ukraine.

A separate report from CloudSek highlights another target: PrivatBank, Ukraine’s largest financial institution. The hacking group UAC-0006 has been impersonating the bank in phishing campaigns since late 2024, using password-protected attachments to bypass security filters. Researchers suggest UAC-0006 shares tactics with FIN7, a well-known Russian cybercriminal group.

Though it is unclear whether these campaigns are connected, cybersecurity experts warn that such attacks can expose sensitive financial and corporate data, potentially leading to further breaches or resale on underground markets.