Russian hackers, likely linked to Sandworm, exploit legitimate tools against Ukrainian targets

Russian actors, likely linked to Sandworm, targeted Ukrainian firms using LotL tactics and dual-use tools to steal data and stay hidden, says Symantec and Carbon Black.

Russian threat actors, likely linked to the APT Sandworm, targeted Ukrainian organizations to steal sensitive data and maintain long-term network access, Symantec Threat Hunter Team and Carbon Black report. The attackers infiltrated a major business services firm for two months and a local government for a week, using living-off-the-land tactics and dual-use tools with minimal malware to evade detection.

“A recent investigation by our Threat Hunter Team uncovered a two-month intrusion against a large business services organization and a week-long attack against a local government organization, with the apparent goal of harvesting sensitive information and maintaining a persistent presence on their networks.” reads the report published by Symantec. “The attackers deployed a limited amount of malware on the networks and instead relied heavily on Living-off-the-Land tactics and dual-use tools.”

Hackers exploited unpatched vulnerabilities to plant webshells like Localolive on servers. Microsoft previously linked Localolive to the Russian cyber espionage group Sandworm, which used it for initial access. The custom webshell enables C2, file uploads, and command execution. 

The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

Symantec observed that first intrusion signs began in June 27, 2025, when attackers installed a webshell via curl and ran reconnaissance (whoami, tasklist, systeminfo, domain queries). They disabled Defender scans for the Downloads folder, created scheduled tasks to dump memory (to harvest credentials), and exported registry hives.

Threat Hunter Team observed a second webshell starting from June 29, enabling further discovery and lateral movement to other hosts. On subsequent days, attackers enumerated files and processes (targeting KeePass), created recurring minidump tasks, and used rdrleakdiag for full memory dumps. Attackers ran suspicious executables from Downloads (service.exe, cloud.exe), executed a dotnet-install script, and deployed OpenSSH (enabling RDP/firewall rules and an SSH rule). The threat actors installed a persistent PowerShell backdoor scheduled every 30 minutes, executed an unknown Python payload, and used a legitimate winbox64 utility. Activity tapered, with the last observed malicious actions on August 20.

“Another feature of the attack was the deployment of a legitimate Microtik router management application (file name: winbox64.exe) in the downloads folder of compromised computers. It is unclear what the attackers were using it for. Interestingly, the same filename appeared in a CERT-UA report on Sandworm activity from 2024.” continues the report. “A limited amount of malicious activity occurred on two other machines on the network, with the last evidence of intrusion dating from August 20.” concludes the report.

“While we have been unable to independently confirm a link to Sandworm, the attacks did appear to be Russian in origin.”

The attackers relied mostly on legitimate tools, using Living-off-the-Land and dual-use software, demonstrating deep Windows knowledge to steal credentials while minimizing their footprint.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)