Russian-Linked Cyberattacks Continue to Target Ukrainian Organizations

Russian state-linked cyber activity continues to pose a threat to Ukrainian organizations. 

Security researchers uncovered two ongoing intrusions that highlight the persistence, stealth, and technical expertise of attackers believed to be connected to Sandworm, a subgroup of Russia’s GRU military intelligence agency. 

The campaigns, which unfolded over several weeks in mid-2025, demonstrate a growing reliance on Living-off-the-Land (LotL) techniques and legitimate system tools to maintain access and harvest data while minimizing the chance of detection.

Living off the Land: A minimal-footprint approach

The attackers targeted both a large business services organization and a local government entity in Ukraine, focusing primarily on intelligence collection rather than overt disruption.

Instead of deploying large volumes of malware, they relied heavily on legitimate Windows utilities, PowerShell scripts, and scheduled tasks to perform reconnaissance, extract credentials, and sustain long-term persistence.

Initial access to one target was achieved through the exploitation of public-facing servers, likely via unpatched vulnerabilities. 

Attackers installed a custom webshell called Localolive, previously associated with the Sandworm group. 

While attribution remains unconfirmed, the tactics and infrastructure align with previous Sandworm operations, known for targeting critical infrastructure and IoT devices across Ukraine and beyond.

Once inside, the attackers executed a series of commands to map the environment, disable antivirus scanning on key directories, and exfiltrate sensitive system information. 

They demonstrated administrative control, creating scheduled tasks to perform memory dumps and capture credentials from tools such as KeePass. They also collected registry hives and system configuration data to expand access across the network.

Taking over, one system at a time

Over the following weeks, the attackers methodically moved through multiple systems within the targeted organization. Each stage showed growing sophistication and situational awareness. 

On one system, they reconfigured Windows Defender to exclude specific directories and used the Windows Resource Leak Diagnostic tool — a legitimate system utility — to perform full memory dumps.

The attackers also deployed a handful of suspicious executables, such as service.exe and cloud.exe, from the Downloads folder. 

These file names mirrored other webshell components used elsewhere in the attack, suggesting a consistent toolkit and naming convention. 

Later stages involved setting up remote access through RDP and OpenSSH, modifying firewall rules, and creating persistent PowerShell backdoors configured to execute every 30 minutes.

In one case, a Python script named assembler.py was executed, though its functionality remains unknown. The presence of winbox64.exe, a legitimate MikroTik router management tool, further points to an effort to blend malicious operations with trusted administrative activity.

Sandworm’s quiet war evolves

Sandworm, also known as Seashell Blizzard, has been linked to multiple high-profile campaigns, including the 2015–2016 Ukrainian power grid attacks, the VPNFilter malware, and the AcidRain satellite modem sabotage against Viasat. 

The group’s operations combine espionage, sabotage, and influence tactics to advance Russian geopolitical goals.

This latest activity reinforces the group’s strategic shift toward persistence and intelligence gathering over immediate destruction. 

By leveraging native Windows functionality, attackers can operate for extended periods with minimal malware deployment, complicating forensic analysis and detection.

These intrusions exemplify the evolving landscape of state-sponsored cyber warfare. 

Traditional antivirus and intrusion detection systems are less effective against LotL and dual-use tools. 

Attackers increasingly exploit the very administrative functions defenders rely on, blurring the line between normal system activity and malicious intent.

Strengthen your defenses now

The following mitigation steps provide practical measures to harden systems, reduce attack surfaces, and detect malicious activity early.

• Apply patches promptly: Ensure all internet-facing servers and applications are fully updated and monitored for abnormal behavior.
• Restrict administrative access: Enforce least-privilege policies and limit local admin rights wherever possible.
• Monitor for misuse of native tools: Track abnormal PowerShell usage, scheduled task creation, and diagnostic tool execution.
• Implement application allowlisting: Block unauthorized executables and scripts from running, particularly from user directories like Downloads.
• Harden remote access: Limit RDP and SSH access to trusted IPs, require multifactor authentication, and disable unused services.
• Enhance visibility: Use endpoint detection and response (EDR) tools capable of correlating behavior patterns, not just signatures.
• Test incident response plans: Continuously test incident response (IR) plans for effectiveness.

Sustained vigilance, combined with proactive monitoring, remains essential to ensuring long-term cyber resilience.

Hiding in plain sight: The new Cyber battlefield

The attacks on Ukrainian organizations underscore the persistence and adaptability of Russian-linked threat actors.

By exploiting legitimate tools and native system functions, these adversaries infiltrate, monitor, and maintain access with few detectable indicators.

To counter this, organizations must strengthen defenses through technical hardening, continuous monitoring, and behavioral analytics to spot subtle anomalies.