Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks.
The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week.
The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time.
“The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities,” the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News.
One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the Russia-linked Sandworm crew as part of a multi-year campaign codenamed BadPilot. LocalOlive is designed to facilitate the delivery of next-stage payloads like Chisel, plink, and rsockstun. It has been utilized since at least late 2021.
Early signs of malicious activity targeting the business services organization date back to June 27, 2025, with the attackers leveraging the foothold to drop a web shell and use it to conduct reconnaissance. The threat actors have also been found to run PowerShell commands to exclude the machine’s Downloads from Microsoft Defender Antivirus scans, as well as set up a scheduled task to perform a memory dump every 30 minutes.
Over the next couple of weeks, the attackers carried out a variety of actions, including –
- Saving a copy of the registry hive to a file named “1.log”
- Dropping more web shells
- Using the web shell to enumerate all files in the user directory
- Running a command to list all running processes beginning with “kee,” likely with the goal of targeting the KeePass password storage vault
- Listing all active user sessions on a second machine
- Running executables named “service.exe” and “cloud.exe” located in the Downloads folder
- Running reconnaissance commands on a third machine and performing a memory dump using the Microsoft Windows Resource Leak Diagnostic tool (RDRLeakDiag)
- Modifying the registry permits RDP connections to allow inbound RDP connections
- Running a PowerShell command to retrieve information about the Windows configuration on a fourth machine
- Running RDPclip to gain access to the clipboard in remote desktop connections
- Installing OpenSSH to facilitate remote access to the computer
- Running a PowerShell command to allow TCP traffic on port 22 for the OpenSSH server
- Creating a scheduled task to run an unknown PowerShell backdoor (link.ps1) every 30 minutes using a domain account
- Running an unknown Python script
- Deploying a legitimate MikroTik router management application (“winbox64.exe“) in the Downloads folder
Interestingly, the presence of “winbox64.exe” was also documented by CERT-UA in April 2024 in connection with a Sandworm campaign aimed at energy, water, and heating suppliers in Ukraine.
Symantec and Carbon Black said they could not find any evidence in the intrusions to connect them to Sandworm, but said they “did appear to be Russian in origin.” The cybersecurity company also revealed that the attacks were characterized by the deployment of several PowerShell backdoors and suspicious executables that are likely to be malware. However, none of these artifacts have been obtained for analysis.
“While the attackers used a limited amount of malware during the intrusion, much of the malicious activity that took place involved legitimate tools, either Living-off-the-Land or dual-use software introduced by the attackers,” Symantec and Carbon Black said.
“The attackers demonstrated an in-depth knowledge of Windows native tools and showed how a skilled attacker can advance an attack and steal sensitive information, such as credentials, while leaving a minimal footprint on the targeted network.”
The disclosure comes as Gen Threat Labs detailed Gamaredon’s exploitation of a now-patched security flaw in WinRAR (CVE-2025-8088, CVSS score: 8.8) to strike Ukrainian government agencies.
“Attackers are abusing CVE-2025-8088 (WinRAR path traversal) to deliver RAR archives that silently drop HTA malware into the Startup folder – no user interaction needed beyond opening the benign PDF inside,” the company said in a post on X. “These lures are crafted to trick victims into opening weaponized archives, continuing a pattern of aggressive targeting seen in previous campaigns.”
The findings also follow a report from Recorded Future, which found that the Russian cybercriminal ecosystem is being actively shaped by international law enforcement campaigns such as Operation Endgame, shifting the Russian government’s ties with e-crime groups from passive tolerance to active management.
Further analysis of leaked chats has uncovered that senior figures within these threat groups often maintain relationships with Russian intelligence services, providing data, performing tasking, or leveraging bribery and political connections for impunity. At the same time, cybercriminal crews are decentralizing operations to sidestep Western and domestic surveillance.
While it’s been long known that Russian cybercriminals could operate freely as long as they do not target businesses or entities operating in the region, Kremlin appears to be now taking a more nuanced approach where they recruit or co-opt talent when necessary, turn a blind eye when attacks align with their interests, and selectively enforce laws when the threat actors become “politically inconvenient or externally embarrassing.”
Viewed in that the “dark covenant” is a combination of several things: a commercial enterprise, tool of influence and information acquisition, and also a liability when it threatens domestic stability or because of Western pressure.
“The Russian cybercriminal underground is fracturing under the dual pressures of state control and internal mistrust, while proprietary forum monitoring and ransomware affiliate chatter show increasing paranoia among operators,” the company noted in its third instalment of the Dark Covenant report.
