SmokeLoader malware aimed at multiple Ukrainian industries, using bug in file archiver

A Russian hacking campaign has exploited a vulnerability in a popular file archiver to infect Ukrainian government and private organizations with SmokeLoader malware, researchers have found.

The bug, tracked as CVE-2025-0411, was discovered in 7-Zip, a free and open-source file archiver developed by Russian programmer Igor Pavlov. It was identified by researchers at Tokyo-based cybersecurity firm Trend Micro in September and patched two months later, giving hackers ample time to exploit it in the wild.

The flaw allows attackers to bypass a Windows security feature known as Mark-of-the-Web protections, which flags files downloaded from the internet as potentially unsafe. SmokeLoader is known for its ability to extract crucial device information, including operating system details and location data.

According to a new report by Trend Micro, Russian cybercriminals actively exploited the vulnerability in unpatched versions of 7-Zip to breach Ukrainian organizations, including one of the country’s largest automobile and truck manufacturers, a public transportation service, a regional pharmacy and a water supply company.

SmokeLoader typically has been deployed by financially motivated Russian hackers in the past. The likely goal of this campaign, however, was cyber-espionage, Trend Micro said. Researchers and intelligence agencies have noted — particularly since the start of the war in Ukraine — that Russian cybercriminals have supported the Kremlin.

The attackers used phishing emails designed to mimic communications from various Ukrainian government agencies and businesses to trick victims into opening them. Some compromised email accounts may have been obtained through previous cyberattacks, researchers said.

The phishing emails contained malicious attachments that, when opened, exploited the 7-Zip vulnerability, allowing hackers to further infiltrate systems.

SmokeLoader has been widely used by Russia-linked hackers in attacks against Ukrainian state and financial institutions. According to previous reports, the malware has been advertised on underground forums since 2011.

In the latest SmokeLoader campaign, hackers targeted, among others, smaller local government bodies, which are often “overlooked, less cyber-savvy, and lack the resources for a comprehensive cybersecurity strategy,” researchers said.

 “These smaller organizations can be valuable pivot points for threat actors to infiltrate larger government entities,” they added.

Read more: Russia-linked hackers use Smokeloader malware to steal funds from Ukrainian enterprises

In a separate report on Wednesday, India-based cybersecurity company CloudSek identified another SmokeLoader target: Ukraine’s largest bank, PrivatBank. The suspected hackers behind the campaign, tracked as UAC-0006, have been targeting PrivatBank customers since at least November 2024. Their phishing emails contained password-protected attachments, which are more likely to evade email security checks. PrivatBank has not responded to Recorded Future News’ request for comment on the reported attacks.

According to researchers, UAC-0006’s tactics overlap with those of FIN7, a notorious Russian advanced persistent threat (APT) group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015.

It remains unclear whether the campaigns described by Trend Micro and CloudSek are connected or what their impact has been on the targeted organizations.

Researchers warn that victims of such attacks risk exposing sensitive personal or corporate data, including credentials, financial information, and organizational secrets, which could be exploited for further attacks or sold on underground markets.