DPRK hackers dupe targets into typing PowerShell commands as admin - Related to commands, exploited, zero-day, ukraine, russian

7-Zip MotW bypass exploited in zero-day attacks against Ukraine

A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.

, the flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government and private organizations in the country.

The Mark of the Web is a Windows security feature designed to warn clients that the file they're about to execute comes from untrusted findings, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim's machine without a warning.

When downloading documents and executables from the web or received as an email attachment, Windows adds a special '[website]' alternate data stream called the Mark-of-the-Web (MoTW) to the file.

When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file. Similarly, when opening a document in Word or Excel with a MoTW flag, Microsoft Office will generate additional warnings and turn off macros.

As the Mark of the Web security capabilities prevent dangerous files from automatically running, threat actors commonly attempt to find MoTW bypasses so their files automatically run and execute.

For years, cybersecurity researchers requested 7-Zip add support for the Mark of the Web, but it was only in 2022 that support for the feature was finally added.

Trend Micro's Zero Day Initiative (ZDI) team first discovered the flaw, now tracked as CVE-2025-0411, on September 25, 2024, observing it in attacks carried out by Russian threat actors.

Hackers leveraged CVE-2025-0411 using double archived files (an archive within an archive) to exploit a lack of inheritance of the MoTW flag, resulting in malicious file execution without triggering warnings.

The specially crafted archive files were sent to targets via phishing emails from compromised Ukrainian government accounts to bypass security filters and appear legitimate.

Sample phishing email used in the campaign.

Utilizing homoglyph techniques, the attackers hid their payloads within the 7-Zip files, making them appear harmless Word or PDF documents.

Although opening the parent archive does propagate the MoTW flag, the CVE-2025-0411 flaw caused the flag not to propagate to the contents of the inner archive, allowing malicious scripts and executables to launch directly.

This last step triggers the SmokeLoader payload, a malware dropper used in the past to install info-stealers, trojans, ransomware, or creating backdoors for persistent access.

Trend Micro says these attacks impacted the following organizations:

State Executive Service of Ukraine (SES) – Ministry of Justice.

– Ministry of Justice Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) – Automobile, bus, and truck manufacturer.

– Automobile, bus, and truck manufacturer Kyivpastrans – Kyiv Public Transportation Service.

– Kyiv Public Transportation Service SEA corporation – Appliances, electrical equipment, and electronics manufacturer.

– Appliances, electrical equipment, and electronics manufacturer Verkhovyna District State Administration – Ivano-Frankivsk oblast administration.

– Ivano-Frankivsk oblast administration VUSA – Insurance business.

– Insurance corporation Dnipro City Regional Pharmacy – Regional pharmacy.

– Regional pharmacy Kyivvodokanal – Kyiv Water Supply organization.

– Kyiv Water Supply firm Zalishchyky City Council – City council.

Although the discovery of the zero-day came in September, it took Trend Micro until October 1, 2024, to share a working proof-of-concept (PoC) exploit with the developers of 7-Zip.

The latter addressed the risks via a patch implemented in version [website], released on November 30, 2024. However, as 7-Zip does not include an auto-modification feature, it is common for 7-Zip customers to run outdated versions.

Therefore, it is strongly recommended that people download the latest version to make sure they are protected from this vulnerability.

The Open Web Application Security Project has in recent times introduced a new Top 10 project - the Non-Hum...

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulner...

This week, our news radar presents that every new tech idea comes with its own challenges. A hot AI too...

BadPilot network hacking campaign fuels Russian SandWorm attacks

A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'

The threat actor has been active since at least 2021 and is also responsible for breaching networks of organizations in energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors.

Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over.

"We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack," reads a Microsoft analysis shared with BleepingComputer.

Microsoft's assessment is "that Seashell Blizzard uses this initial access subgroup to horizontally scale their operations as new exploits are acquired and to sustain persistent access to current and future sectors of interest to Russia."

Microsoft's earliest observations of the subgroup's activity show opportunistic operations targeting Ukraine, Europe, Central and South Asia, and the Middle East, focusing on critical sectors.

Starting 2022, following Russia's invasion of Ukraine, the subgroup intensified its operations against critical infrastructure supporting Ukraine, including government, military, transportation, and logistics sectors.

Their intrusions aimed at intelligence collection, operational disruptions, and wiper attacks aimed at corrupting data at the targeted systems.

"We assess that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023," mentions Microsoft regarding the subgroup's specific activity.

By 2023, the subgroup's targeting scope had broadened, conducting large-scale compromises across Europe, the United States, and the Middle East, and in 2024, it started focusing on the United States, United Kingdom, Canada, and Australia.

Initial access and post-compromise activity.

The APT44 subgroup employs multiple techniques to compromise networks, including exploiting n-day vulnerabilities in internet-facing infrastructure, credential theft, and supply chain attacks.

Supply-chain attacks were particularly effective against organizations across Europe and Ukraine, where the hackers targeted regionally managed IT service providers and then accessed multiple clients.

Microsoft has observed network scans and subsequent exploitation attempts of the following vulnerabilities:

CVE-2022-41352 (Zimbra Collaboration Suite).

CVE-2024-1709 (ConnectWise ScreenConnect).

CVE-2023-48788 (Fortinet FortiClient EMS).

After exploiting the above vulnerabilities to obtain access, the hackers established persistence by deploying custom web shells like 'LocalOlive'.

In 2024, the APT44 subgroup started to use legitimate IT remote management tools such as Atera Agent and Splashtop Remote Services to execute commands on compromised systems while posing as IT admins to evade detection.

Regarding the post-initial access activity, the threat actors use Procdump or the Windows registry to steal credentials, and Rclone, Chisel, and Plink for data exfiltration through covert network tunnels.

Researchers observed a novel technique in 2024 as the threat actor routed traffic through the Tor network "effectively cloaking all inbound connections to the affected asset and limiting exposures from both the actor and victim environment."

Finally, the subgroup performs lateral movement to reach all the parts of the network it can, and modifies the infrastructure as required for its operations.

The modifications include DNS configuration manipulations, the creation of new services and scheduled tasks, and the configuration of backdoor access using OpenSSH with unique public keys.

Microsoft says that the Russian hacker subgroup has "near-global reach" and helps Seashell Blizzard expand its geographical targeting.

In the research , the researchers share hunting queries, indicators of compromise (IoCs), and YARA rules for defenders to catch this threat actor's activity and stop it before .

Ivanti warnt vor mehreren, teils kritischen Sicherheitslücken in der VPN-Software Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) und Ivanti S......

Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying p......

Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Applic......

DPRK hackers dupe targets into typing PowerShell commands as admin

It involves deceptive error messages or prompts that direct victims to execute malicious code themselves, often via PowerShell commands. These actions typically lead to malware infections.

's Threat Intelligence team, the attacker masquerades as a South Korean government official and gradually builds a connection with the victim.

Once a certain level of trust is established, the attacker sends a spear-phishing email with a PDF attachment. However, targets that want to read the document are directed to a fake device registration link that instructs them to run PowerShell as an administrator and paste attacker-provided code.

Instructions for performing the device registration.

When executed, the code installs a browser-based remote desktop tool, downloads a certificate using a hardcoded PIN, and registers the victim’s device with a remote server, giving the attacker direct access for data exfiltration.

Microsoft says it observed this tactic in limited-scope attacks starting January 2025, targeting individuals that work in international affairs organizations, NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia.

Microsoft notified individuals targeted by this activity, and urges others to take note of the new tactic and treat all unsolicited communications with extreme caution.

“While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets,” warns Microsoft.

customers should show caution when encountering requests to execute on their computers code they copy online, especially when doing so with administrator privileges.

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation du......

Microsoft has released the KB5051974 cumulative upgrade for Windows 10 22H2 and Windows 10 21H2, which automatically installs the new Outlook for Windo......

Derzeit haben unbekannte Angreifer verschiedene Windows- und Windows-Server-Versionen im Visier. Admins sollten sicherstellen, dass Windows upgrade akt......