CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

    Wednesday, February 5, 2025 In: Threat Research Print

    Date: 02/05/2025

    Severity: High

    Summary

    In September 2024, the Threat Hunting team uncovered a 7-Zip zero-day vulnerability (CVE-2025-0411) exploited in a SmokeLoader malware campaign targeting Ukrainian entities. The vulnerability was reported to 7-Zip creator Igor Pavlov, resulting in a patch released in version 24.09 on November 30, 2024. CVE-2025-0411 enables attackers to bypass Windows Mark-of-the-Web protections by double-archiving files, bypassing security checks, and enabling the execution of malicious content.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    file://185.156.72.78/MyFolder/invoce.zip

    http://alfacentarusmulticopter.ru/index.php

    http://johnfabiconinteraption.ru/index.php

    http://storeagroculturnaya.ru/index.php

    http://alfacentarusmulticopter.ru/index.php

    http://storeagroculturnaya.ru/index.php

    http://johnfabiconinteraption.ru/index.php

    http://alfacentarusmulticopter.ru/index.php

    http://unicalads.ru/index.php 

    http://lazaretmed.pw/index.php

    http://technoads.pw/index.php 

    http://oncomnigos.online/index.php

    http://185.156.72.78/MyFolder/pay.zip

    http://southlander.ru/dklfhgjdfhgjd78khdgfjgh/akt.bat

    http://goodmastersportunicum.ru/load/svc.exe 

    http://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar

    https://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar

    alfacentarusmulticopter.ru

    johnfabiconinteraption.ru

    storeagroculturnaya.ru

    alfacentarusmulticopter.ru

    storeagroculturnaya.ru

    johnfabiconinteraption.ru

    alfacentarusmulticopter.ru

    unicalads.ru

    lazaretmed.pw

    technoads.pw

    oncomnigos.online

    southlander.ru

    goodmastersportunicum.ru

    ukr-netfilediscdownloadapplication.ru

    IP Address :

    185.156.72.78

    Hash :

    554d9ddd6fd1ccb15d7686c8badb8653323c71884c7f20efb19b56324ff34fc1

2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5

84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412

54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6

62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543

cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c

8ee225bdd38cf6fd014a16beb9e33a0650147a9b7ea2104afe2f47c01bd1db0b

a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2

b3df042c5286fa91a4555e105038364bc66bfe7fdfe3769eb26b96e0ffe6096b

915b73a57aaf759fbd5352d79656e1b697545e6c9d953ab05aacf61ed4f6e397

d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21

fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144

5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34

888f68917f9250a0936fd66ea46b6c510d0f6a0ca351ee62774dd14268fe5420

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 :

    userdomainname like "goodmastersportunicum.ru" or url like "goodmastersportunicum.ru" or userdomainname like "johnfabiconinteraption.ru" or url like "johnfabiconinteraption.ru" or userdomainname like "unicalads.ru" or url like "unicalads.ru" or userdomainname like "alfacentarusmulticopter.ru" or url like "alfacentarusmulticopter.ru" or userdomainname like "lazaretmed.pw" or url like "lazaretmed.pw" or userdomainname like "southlander.ru" or url like "southlander.ru" or userdomainname like "storeagroculturnaya.ru" or url like "storeagroculturnaya.ru" or userdomainname like "ukr-netfilediscdownloadapplication.ru" or url like "ukr-netfilediscdownloadapplication.ru" or userdomainname like "http://johnfabiconinteraption.ru/index.php" or url like "http://johnfabiconinteraption.ru/index.php" or userdomainname like "http://storeagroculturnaya.ru/index.php" or url like "http://storeagroculturnaya.ru/index.php" or userdomainname like "http://alfacentarusmulticopter.ru/index.php" or url like "http://alfacentarusmulticopter.ru/index.php" or userdomainname like "http://southlander.ru/dklfhgjdfhgjd78khdgfjgh/akt.bat" or url like "http://southlander.ru/dklfhgjdfhgjd78khdgfjgh/akt.bat"

    Domains\Urls 2 :

    userdomainname like "file://185.156.72.78/MyFolder/invoce.zip" or url like "file://185.156.72.78/MyFolder/invoce.zip" or userdomainname like "http://unicalads.ru/index.php" or url like "http://unicalads.ru/index.php" or userdomainname like "http://lazaretmed.pw/index.php" or url like "http://lazaretmed.pw/index.php" or userdomainname like "http://technoads.pw/index.php" or url like "http://technoads.pw/index.php" or userdomainname like "http://oncomnigos.online/index.php" or url like "http://oncomnigos.online/index.php" or userdomainname like "http://185.156.72.78/MyFolder/pay.zip" or url like "http://185.156.72.78/MyFolder/pay.zip" or userdomainname like "http://goodmastersportunicum.ru/load/svc.exe" or url like "http://goodmastersportunicum.ru/load/svc.exe" or userdomainname like "http://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar" or url like "http://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar" or userdomainname like "storeagroculturnaya.ru" or url like "storeagroculturnaya.ru" or userdomainname like "https://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar" or url like "https://ukrnetfilediscdownloadapplication.ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p.rar" or userdomainname like "technoads.pw" or url like "technoads.pw" or userdomainname like "oncomnigos.online" or url like "oncomnigos.online"

    IP Address :

    dstipaddress IN ("185.156.72.78") or ipaddress IN ("185.156.72.78") or publicipaddress IN ("185.156.72.78") or srcipaddress IN ("185.156.72.78")

    Hash :

    sha256hash IN ("2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5","cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c","d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21","54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6","554d9ddd6fd1ccb15d7686c8badb8653323c71884c7f20efb19b56324ff34fc1","62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543","915b73a57aaf759fbd5352d79656e1b697545e6c9d953ab05aacf61ed4f6e397","fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144","84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412","b3df042c5286fa91a4555e105038364bc66bfe7fdfe3769eb26b96e0ffe6096b","8ee225bdd38cf6fd014a16beb9e33a0650147a9b7ea2104afe2f47c01bd1db0b","a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2","5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34","888f68917f9250a0936fd66ea46b6c510d0f6a0ca351ee62774dd14268fe5420")

    Reference:

    https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html


    Tags

    MalwareSmokeLoaderCVE-2025UkraineExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.