Ukrainian organizations are being targeted by Russian-origin attackers with the goal of siphoning sensitive data and maintaining persistent access to compromised networks.
The campaign targeted large business services organizations for two months and local governments across the country for one week, according to a new report from Symantec and the Carbon Black Threat Hunters team.
The attack primarily utilized Living Off-The Land (LotL) tactics and dual-use tools, combined with minimal malware to reduce the digital footprint and remain undetected for long periods of time.
“The attacker gained access to a business services organization by deploying a web shell on a public server, likely exploiting one or more unpatched vulnerabilities,” the Broadcom-owned cybersecurity team said in a report shared with Hacker News.
One of the web shells used in the attack was Localolive. It was previously reported by Microsoft as being used by a subgroup of the Russia-linked Sandworm crew as part of a multi-year campaign codenamed BadPilot. LocalOlive is designed to facilitate the delivery of next-stage payloads such as Chisel, plink, and rsockstun. It has been in use since at least the second half of 2021.
Early signs of malicious activity targeting business services organizations date back to June 27, 2025, when attackers used that foothold to drop a web shell and use it to conduct reconnaissance. Threat actors have also been found running PowerShell commands to exclude machine downloads from Microsoft Defender antivirus scans and setting up scheduled tasks to perform memory dumps every 30 minutes.
Over the next few weeks, the attackers carried out various acts, including:
Save a copy of the registry hive to a file named 1.log. Also drop a web shell. Enumerate all files in the user directory using the web shell. Run the command to list all running processes that start with “kee”. This is likely to target the KeePass password storage vault. List all active user sessions on the second machine. Run the executable files named “service.exe” and “cloud.exe” located in your downloads folder. Run reconnaissance commands on the third machine to dump memory using the Microsoft Windows Resource Leak Diagnostic Tool (RDRLeakDiag) Modify the registry to allow RDP connections and allow incoming RDP connections Run PowerShell commands to obtain information about the fourth machine’s Windows configuration Run RDPclip to access the Clipboard for Remote Desktop Connections Install OpenSSH to facilitate remote access to the computer Allow TCP traffic on port 22 of the OpenSSH server Run a PowerShell command Create a scheduled task to run an unknown task Run a PowerShell backdoor (link.ps1) every 30 minutes using a domain account Run an unknown Python script Deploy the genuine MikroTik router management application (‘winbox64.exe’) in the downloads folder
Interestingly, the presence of “winbox64.exe” was also documented by CERT-UA in April 2024 in connection with a Sandworm campaign targeting Ukrainian energy, water, and heating suppliers.
Symantec and Carbon Black said they found no evidence of sandworm in the breach, but that it “appears to be Russian in origin.” The cybersecurity firm also revealed that the attack was characterized by several PowerShell backdoors and the introduction of a suspicious executable file that is likely malware. However, none of these artifacts were captured for analysis.
“Although the amount of malware used by the attackers during the compromise was limited, much of the malicious activity that took place involved legitimate tools, either Living-off-the-Land or dual-use software, deployed by the attackers,” Symantec and Carbon Black said.
“The attackers demonstrated deep knowledge of Windows native tools and demonstrated how a skilled attacker can proceed with an attack to steal credentials and other sensitive information while leaving a minimal footprint on a target’s network.”
This disclosure comes as Gen Threat Labs details how Gamaredon exploited a currently patched security flaw in WinRAR (CVE-2025-8088, CVSS score: 8.8) to attack Ukrainian government agencies.
In a post on “These lures are designed to trick victims into opening weaponized archives, continuing the pattern of aggressive targeting seen in previous campaigns.”
The findings follow a Recorded Future report that found that Russia’s cybercrime ecosystem is being actively shaped by international law enforcement campaigns such as Operation Endgame, and that the relationship between the Russian government and e-crime groups is moving from passive tolerance to active management.
Further analysis of the leaked chats revealed that leaders of these threat groups often maintain relationships with Russian intelligence agencies, providing them with data, conducting missions, or using bribes and political connections for impunity. At the same time, cybercriminals are decentralizing their operations to evade Western and domestic surveillance.
While it has long been known that Russian cybercriminals are free to operate as long as they do not target companies or organizations operating in the region, the Kremlin now appears to be taking a more nuanced approach, recruiting and recruiting as needed, turning a blind eye when attacks are in its own interests, and selectively enforcing laws when attackers are “politically inconvenient or publicly embarrassing.”
The “black contracts” are seen as a combination of several factors, including commercial ventures, tools for influence and information acquisition, and liability in cases of threats to domestic stability or Western pressure.
“Russia’s underground cybercriminal organizations are fractured under the dual pressures of state control and internal distrust, while independent forum monitoring and ransomware affiliate chatter indicate growing paranoia among their operators,” the company said in the third installment of its Dark Covenant report.
Source link
