Russian-Linked Cyberattacks Continue to Target Ukrainian Organizations | eSecurity Planet

Russian-Linked Cyberattacks Continue to Target Ukrainian Organizations

Sandworm targets Ukrainian networks using stealthy, low-malware attacks that exploit legitimate Windows tools to evade detection.

Written By
Ken Underhill
Ken Underhill
Oct 30, 2025
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Russian state-linked cyber activity continues to pose a threat to Ukrainian organizations. 

Security researchers uncovered two ongoing intrusions that highlight the persistence, stealth, and technical expertise of attackers believed to be connected to Sandworm, a subgroup of Russia’s GRU military intelligence agency. 

The campaigns, which unfolded over several weeks in mid-2025, demonstrate a growing reliance on Living-off-the-Land (LotL) techniques and legitimate system tools to maintain access and harvest data while minimizing the chance of detection.

Living off the Land: A minimal-footprint approach

The attackers targeted both a large business services organization and a local government entity in Ukraine, focusing primarily on intelligence collection rather than overt disruption.

Instead of deploying large volumes of malware, they relied heavily on legitimate Windows utilities, PowerShell scripts, and scheduled tasks to perform reconnaissance, extract credentials, and sustain long-term persistence.

Initial access to one target was achieved through the exploitation of public-facing servers, likely via unpatched vulnerabilities. 

Attackers installed a custom webshell called Localolive, previously associated with the Sandworm group. 

While attribution remains unconfirmed, the tactics and infrastructure align with previous Sandworm operations, known for targeting critical infrastructure and IoT devices across Ukraine and beyond.

Once inside, the attackers executed a series of commands to map the environment, disable antivirus scanning on key directories, and exfiltrate sensitive system information. 

They demonstrated administrative control, creating scheduled tasks to perform memory dumps and capture credentials from tools such as KeePass. They also collected registry hives and system configuration data to expand access across the network.

Taking over, one system at a time

Over the following weeks, the attackers methodically moved through multiple systems within the targeted organization. Each stage showed growing sophistication and situational awareness. 

On one system, they reconfigured Windows Defender to exclude specific directories and used the Windows Resource Leak Diagnostic tool — a legitimate system utility — to perform full memory dumps.

The attackers also deployed a handful of suspicious executables, such as service.exe and cloud.exe, from the Downloads folder. 

These file names mirrored other webshell components used elsewhere in the attack, suggesting a consistent toolkit and naming convention. 

Later stages involved setting up remote access through RDP and OpenSSH, modifying firewall rules, and creating persistent PowerShell backdoors configured to execute every 30 minutes.

In one case, a Python script named assembler.py was executed, though its functionality remains unknown. The presence of winbox64.exe, a legitimate MikroTik router management tool, further points to an effort to blend malicious operations with trusted administrative activity.

Advertisement

Sandworm’s quiet war evolves

Sandworm, also known as Seashell Blizzard, has been linked to multiple high-profile campaigns, including the 2015–2016 Ukrainian power grid attacks, the VPNFilter malware, and the AcidRain satellite modem sabotage against Viasat. 

The group’s operations combine espionage, sabotage, and influence tactics to advance Russian geopolitical goals.

This latest activity reinforces the group’s strategic shift toward persistence and intelligence gathering over immediate destruction. 

By leveraging native Windows functionality, attackers can operate for extended periods with minimal malware deployment, complicating forensic analysis and detection.

These intrusions exemplify the evolving landscape of state-sponsored cyber warfare. 

Traditional antivirus and intrusion detection systems are less effective against LotL and dual-use tools. 

Attackers increasingly exploit the very administrative functions defenders rely on, blurring the line between normal system activity and malicious intent.

Strengthen your defenses now

The following mitigation steps provide practical measures to harden systems, reduce attack surfaces, and detect malicious activity early.

  • Apply patches promptly: Ensure all internet-facing servers and applications are fully updated and monitored for abnormal behavior.
  • Restrict administrative access: Enforce least-privilege policies and limit local admin rights wherever possible.
  • Monitor for misuse of native tools: Track abnormal PowerShell usage, scheduled task creation, and diagnostic tool execution.
  • Implement application allowlisting: Block unauthorized executables and scripts from running, particularly from user directories like Downloads.
  • Harden remote access: Limit RDP and SSH access to trusted IPs, require multifactor authentication, and disable unused services.
  • Enhance visibility: Use endpoint detection and response (EDR) tools capable of correlating behavior patterns, not just signatures.
  • Test incident response plans: Continuously test incident response (IR) plans for effectiveness.

Sustained vigilance, combined with proactive monitoring, remains essential to ensuring long-term cyber resilience.

Advertisement

Hiding in plain sight: The new Cyber battlefield

The attacks on Ukrainian organizations underscore the persistence and adaptability of Russian-linked threat actors.

By exploiting legitimate tools and native system functions, these adversaries infiltrate, monitor, and maintain access with few detectable indicators.

To counter this, organizations must strengthen defenses through technical hardening, continuous monitoring, and behavioral analytics to spot subtle anomalies.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.