Russian-linked attackers have intensified their targeting of Ukrainian organizations through sophisticated intrusions that rely heavily on legitimate Windows tools rather than malware.
The attackers demonstrated remarkable restraint in their malware deployment, instead leveraging living-off-the-land tactics and dual-use tools to evade detection while accomplishing their objectives.
A recent investigation by our Threat Hunter Team revealed two separate campaigns—a two-month breach of a large business services organization and a week-long attack against a local government entity—both aimed at harvesting sensitive data and establishing persistent network access.
The intrusions began with the deployment of webshells on publicly facing servers, indicating exploitation of unpatched vulnerabilities.
The attackers utilized Localolive, a webshell that Microsoft associates with Seashell Blizzard, a sub-group of Russia’s notorious Sandworm organization.
While independent confirmation of Sandworm involvement remains pending, the sophisticated nature and Russian origins of the attacks are evident throughout the campaign. Sandworm, officially designated as a unit of Russian military intelligence (GRU), has an extensive history of conducting destructive operations targeting critical infrastructure.
The group gained notoriety for devastating power grid attacks in Ukraine, the VPNFilter campaign against networking devices, and the AcidRain assault on Viasat satellite modems, establishing itself as one of the most dangerous threat actors operating today.
Following initial access on June 27, 2025, the attackers executed reconnaissance commands to map system configurations and user privileges.
They systematically gathered information through whoami, tasklist, and systeminfo commands while simultaneously disabling Windows Defender protections for the Downloads folder—a critical step enabling undetected tool deployment.
The attackers created scheduled tasks running every 30 minutes to extract credential material from system memory and registry hives, demonstrating a methodical approach to credential harvesting.
Sophisticated Persistence
The attackers escalated their operations across multiple systems within the compromised network, establishing persistence mechanisms that would enable long-term access.
On Computer 2, they specifically targeted KeePass password vault processes, extracting process identifiers before creating memory dump tasks designed to harvest stored credentials.
The threat actors deployed the Windows Resource Leak Diagnostic tool on July 16—an uncommon technique suggesting deliberate selection of less-scrutinized legitimate tools to minimize detection likelihood.
By late July, the campaign entered its most aggressive phase. The attackers installed OpenSSH for remote command-line access, created firewall rules permitting inbound SSH connections on port 22, and configured RDP without pre-authentication to establish multiple remote access vectors.
They deployed scheduled PowerShell backdoors running under domain accounts every 30 minutes, ensuring resilient command execution capabilities.
The discovery of a legitimate Microtik router management application (winbox64.exe) within the Downloads folder suggests potential network reconnaissance or lateral movement activities—notably, the same filename appeared in Ukrainian CERT-UA reports documenting Sandworm operations during 2024.
Despite deploying suspicious executables and PowerShell backdoors, the attackers maintained an exceptionally light malware presence, instead relying on native Windows utilities and dual-use tools.
This approach reflects sophisticated operator tradecraft—minimizing distinctive artifacts that security tools typically trigger on while maintaining full operational capability.
The deployment of Python scripts, .NET runtimes, and standard administrative utilities demonstrates how advanced threat actors can conduct comprehensive network compromise using exclusively legitimate infrastructure.
The intrusion continued across at least four compromised computers through mid-August, with the final evidence of malicious activity documented on August 20, 2025.
This campaign exemplifies the evolving threat landscape where skillful adversaries achieve maximum operational impact with minimal malware signatures, presenting acute detection challenges for traditional security monitoring approaches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
