Russian threat actors have reportedly conducted a series of stealthy cyberattacks on organizations in Ukraine, aiming to steal confidential data and maintain persistent access to compromised networks.
According to a recent joint report by Symantec and Carbon Black Threat Hunter Team, the attacks targeted a large business services company for two months and a local government organization for about a week.
Attack Techniques and Entry Points
The adversaries relied heavily on Living-Off-the-Land (LotL) techniques, which involve using legitimate system tools for malicious purposes. They combined these with a small number of dual-use utilities and minimal malware to avoid detection.
“The attackers gained access by deploying web shells on public-facing servers, most likely exploiting one or more unpatched vulnerabilities,” the report stated.
One of the main tools used was LocalOlive, a web shell linked to the Sandworm hacking group, part of Russia’s cyber operations. LocalOlive was previously seen in the BadPilot campaign and is used to deliver payloads like Chisel, plink, and rsockstun.
Timeline of Intrusion
Malicious activity dates back to June 27, 2025, when attackers first dropped a web shell and began reconnaissance. They used PowerShell commands to exclude the Downloads folder from Microsoft Defender Antivirus scans and set a scheduled task to perform memory dumps every 30 minutes.
Actions performed by attackers included:
- Saving a copy of the registry hive as “1.log.”
- Deploying additional web shells.
- Enumerating all files in user directories.
- Searching for processes starting with “kee” to locate KeePass password vaults.
- Listing active user sessions and executing files like service.exe and cloud.exe.
- Using RDRLeakDiag to perform memory dumps.
- Enabling RDP connections by editing registry settings.
- Running RDPclip to access clipboard data.
- Installing OpenSSH and allowing TCP traffic on port 22.
- Creating a scheduled task for an unknown PowerShell backdoor (link.ps1).
- Executing a Python script and launching winbox64.exe, a legitimate MikroTik router tool.
Interestingly, CERT-UA had previously reported winbox64.exe usage in a 2024 Sandworm campaign that targeted Ukraine’s energy and water sectors.
Although Symantec and Carbon Black did not confirm a direct link to Sandworm, they attributed the activity to Russian-origin actors based on tactics and tool overlaps.
Living-Off-the-Land Focus
The attackers used very little traditional malware. Instead, they utilized Windows-native tools and dual-use software to advance their operation while leaving minimal forensic evidence.
“This shows how skilled attackers can use legitimate tools to steal sensitive data, including credentials, while remaining almost invisible,” the researchers noted.
Additional Russian Threat Campaigns
Another recent finding by Gen Threat Labs revealed that Gamaredon, another Russian group, exploited a WinRAR vulnerability (CVE-2025-8088, CVSS 8.8) to attack Ukrainian government agencies.
Attackers used malicious RAR archives that silently dropped HTA malware into the Startup folder once users opened an attached PDF lure.
The Broader Cyber Landscape
Recorded Future reported that international law enforcement operations, such as Operation Endgame, have influenced Russia’s cyber ecosystem.
The relationship between Russian intelligence and cybercriminal groups now appears to include cooperation, bribery, and selective enforcement.
Leaked chats show that threat actors often maintain links with Russian intelligence, offering data and operational support in exchange for immunity.
This evolving dynamic, referred to as the “Dark Covenant,” is both a strategic alliance and a liability for the Kremlin. It merges commercial cybercrime with state-driven espionage.
“The Russian underground is fracturing under the dual pressures of government control and internal mistrust,” Recorded Future stated, adding that ransomware operators have become increasingly paranoid about monitoring and infiltration.
