Russian Hackers Target Ukrainian Organizations Using Stealthy ...
Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks.
The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week.
The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time.
"The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News.
One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the Russia-linked Sandworm crew as part of a multi-year campaign codenamed BadPilot. LocalOlive is designed to facilitate the delivery of next-stage payloads like Chisel, plink, and rsockstun. It has been utilized since at least late 2021.
Early signs of malicious activity targeting the business services organization date back to June 27, 2025, with the attackers leveraging the foothold to drop a web shell and use it to conduct reconnaissance. The threat actors have also been found to run PowerShell commands to exclude the machine's Downloads from Microsoft Defender Antivirus scans, as well as set up a scheduled task to perform a memory dump every 30 minutes.
Over the next couple of weeks, the attackers carried out a variety of actions, including -
Interestingly, the presence of "winbox64.exe" was also documented by CERT-UA in April 2024 in connection with a Sandworm campaign aimed at energy, water, and heating suppliers in Ukraine.
Symantec and Carbon Black said they could not find any evidence in the intrusions to connect them to Sandworm, but said they "did appear to be Russian in origin." The cybersecurity company also revealed that the attacks were characterized by the deployment of several PowerShell backdoors and suspicious executables that are likely to be malware. However, none of these artifacts have been obtained for analysis.
"While the attackers used a limited amount of malware during the intrusion, much of the malicious activity that took place involved legitimate tools, ei
Source: The Hacker News
