A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.
The Mark of the Web is a Windows security feature designed to warn users that the file they’re about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim’s machine without a warning.
Hackers leveraged CVE-2025-0411 using double archived files (an archive within an archive) to exploit a lack of inheritance of the MoTW flag, resulting in malicious file execution without triggering warnings.
The specially crafted archive files were sent to targets via phishing emails from compromised Ukrainian government accounts to bypass security filters and appear legitimate.
Utilizing homoglyph techniques, the attackers hid their payloads within the 7-Zip files, making them appear harmless Word or PDF documents.
7-Zip addressed the risks via a patch implemented in version 24.09, released on November 30, 2024. However, as 7-Zip does not include an auto-update feature, it is common for 7-Zip users to run outdated versions.
If you are a windows user I recommend using Chocolatey or something similar to manage packages like 7zip
Winget is the native package manager built into the OS it works decently
Oh that the thing where they copied AppGet after ghosting its creator!
I think at least it doesn’t run any packages scripts for installation. Probably the better choice than Chocolatey, especially for people with nation state adversaries.
Yeah winget works pretty well. There is a utility I have on my PC called Top Grade which finds all package managers and windows update and runs them all for you.
topgrade does Windows Update on Windows? I swear it supports everything.
scoop gang