A Russian cybercrime group exploited CVE-2025-0411 in 7-Zip — a zero-day at the time — to bypass Windows’ Mark of the Web protections by nesting archives inside archives, slipping SmokeLoader past Windows security prompts and into Ukrainian government systems. HN55 also covers a malicious Go package that typosquatted the legitimate BoltDB library, exploited Go’s indefinite module mirror cache to stay alive for years, and granted remote access to any developer who installed it.
Stories Covered
7-Zip Double-Archive Attack Bypasses Windows Mark of the Web
CVE-2025-0411 (CVSS 7.0) exploits a flaw in 7-Zip versions prior to 24.09: when a file is double-archived — zipped inside a zip — 7-Zip failed to propagate the Mark of the Web (MOTW) flag to the inner archive’s contents. MOTW is the Windows mechanism that marks files downloaded from the internet and triggers the “this file came from the web, do you want to run it?” warning. Without that flag, the extracted payload runs without the usual security prompt.
The attack chain starts with a spear phishing email sent from compromised Ukrainian government or business accounts — lending it false legitimacy. The email contains a specially crafted archive that uses a homoglyph attack to make the inner zip look like a Word document. When extracted, an internet shortcut (.url) file inside reaches out to an attacker-controlled server and downloads a second archive. That second archive contains SmokeLoader, disguised as a PDF, but without a MOTW flag — so Windows executes it without warning. SmokeLoader then pulls in whatever secondary payload the operator has staged.
The fix has been available since November 2024 in version 24.09. If you have 7-Zip installed, this is the update prompt. The broader lesson: MOTW is a useful friction point but not a guarantee — any file you download, regardless of whether Windows flags it, should be treated as untrusted until you know what it is.
Malicious Go Package Abuses Module Mirror Cache for Persistent Backdoor
Researchers at Socket identified a malicious Go package — github.com/boltdb-go/bolt — as a typosquat of the legitimate github.com/boltdb/bolt BoltDB database library. Version 1.3.1 was published to GitHub in November 2021 and almost immediately cached by the Go module mirror service, which stores packages indefinitely. Once cached, even if the source repository is cleaned up or modified, the mirror keeps serving the original malicious version to anyone who runs go get.
That is exactly what happened: the attacker later modified the GitHub repository’s git tags to point back to a clean version — so any manual audit of the GitHub source would show nothing suspicious. But the Go module mirror was still serving the backdoored 1.3.1 indefinitely. Any developer who installed the package from the cache got a remote access backdoor that phones home and accepts arbitrary commands, while the GitHub repo appeared completely benign.
This is one of the earliest documented cases of deliberately exploiting Go’s indefinite caching behavior as an attack vector. The same class of risk exists in other ecosystems (NuGet’s caching has similar properties; npm is more aggressive about invalidation). The defense is developer-side: vet package names carefully, check download counts and repository age, use a software bill of materials, and consider tools that scan your dependency tree against known typosquats. No ecosystem is immune to supply chain attacks, and the cache amplifies any initial compromise by making it persist long after the source is cleaned up.
Leave a Reply