Sandworm, also known as APT44, Seashell Blizzard, and Voodoo Bear, is one of the most notorious groups attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455. Over the years, the group has been linked to some of the most disruptive cyber operations on record, including attacks against critical infrastructure, widespread malware campaigns, and repeated intrusions targeting Ukrainian institutions. Their operations are known for being highly adaptive, persistent, and aligned with geopolitical tensions in the region.

According to investigators, two Ukrainian entities were compromised: a large business services organization and a local government organization with the apparent goal of harvesting sensitive information. The attackers likely gained initial access by exploiting externally exposed web services, a technique repeatedly observed in intrusions suspected to involve Sandworm. After breaching these systems, the attackers deployed a custom webshell known as LocalOlive, a tool previously identified in past Sandworm-related intrusions. The presence of this webshell, along with the operational style of the intrusion, is a key factor driving the current (but still unconfirmed) suspicion of Sandworm involvement.

Once inside these environments, the attackers relied heavily on living-off-the-land techniques, using built-in operating system utilities to blend into legitimate administrative activity while performing reconnaissance, maintaining persistence, and preparing for potential follow-on actions. This approach is characteristic of advanced state-aligned actors who aim to minimize detection and maintain long-term access.

While attribution remains uncertain, understanding the behaviors observed in this campaign provides valuable insight into the evolving threat landscape. By examining these techniques and their broader context, defenders can better anticipate similar operations and enhance their resilience against intrusions that mirror the tradecraft commonly associated with Sandworm.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against recently active Russian APT activity.
• Assess their security posture against a disruptive and persistent threat.
• Continuously validate detection and prevention pipelines against activity focused on critical sectors.

Sandworm – 2025-10 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation contains the Post-Compromise Tactics, Techniques, and Procedures (TTP) exhibited by Sandworm during its most recent activities.

This emulation is based on the investigation carried out by Symantec and Carbon Black (October 25, 2025)

1. Malware Samples

Consists of the malware samples used by the adversary during this campaign.

2025-07 Sandworm system.exe Sample (T1105): The Sandworm system.exe Sample (SHA256: 08ced2cca0b22dd7a211ebf318b8186fc1c2149943338c77ee2ac677b473727f) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

2025-07 Sandworm service.exe Sample (T1105): The Sandworm service.exe Sample (SHA256: 2866763ebd3124bfe9cf3f65d6341dda6bbb98e2653c98dd2f001f152e082291) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

2025-07 Sandworm nano.exe Sample (T1105): The Sandworm Sample (SHA256: ba6301e35fc3feb41ece82e518f97a81263aa3bd750de7a84eef01dbf15f3507) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

2. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Persistence Through Scheduled Task (T1053.005): This scenario creates a new scheduled task for persistence using the schtasks utility.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Add Process to Microsoft Defender Exclusion List using PowerShell (T1562.001): This scenario adds a process to the Microsoft Defender exclusion list using the Add-MpPreference Powershell cmdlet.

Allow SSH Communication via “New-NetFirewallRule” PowerShell Command (T1562.004): This scenario executes the New-NetFirewallRule Powershell cmdlet to create a new outbound firewall rule.

Enable Remote Desktop Connections via Registry (SYSTEM) (T1562.001): The registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Services\fDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop.

Enable Legacy Security Layer Authentication for Remote Desktop Connections (SYSTEM) (T1112): This scenario sets the value of the SecurityLayer registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, to 0 to force the server to use the legacy native RDP Security Layer to facilitate remote access for persistence and lateral movement.

4. Credential Access

Consists of techniques used by adversaries to harvest credentials available on the compromised system.

Dump LSASS Process to Minidump File (T1003.001): This scenario dumps the Windows Local Security Authority Server Service (LSASS) process memory to a Minidump file using rundll32.exe in combination with comsvcs.dll native Windows library.

Dump SYSTEM Registry Hive via “reg save” Command (T1003.002): This scenario attempts to save a copy of the HKLM\SYSTEM registry hive to a temporary file by executing the native Windows reg save command.

5. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

Obtain Username using “whoami” Command (T1033): This scenario executes the native whoami command to receive details of the running user account.

Process Discovery Through Tasklist (T1057): This scenario enumerates processes running on the target asset through the tasklist Windows utility. The results are saved to a file in a temporary location.

Obtain System Information via “systeminfo” Command (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

Domain Remote System Discovery Via Net Command (T1018): This scenario executes the net group "Domain Computers" /domain command to gather additional hosts available to the infected asset.

Get ARP Information through Windows Command Line (T1016): This scenario executes the arp -a command to retrieve the system’s Address Resolution Protocol (ARP) information, which can reveal valuable network details.

Collect Information about Remote Desktop Session using “query session” Command (T1082): This scenario executes the query session command to gather information about sessions on a Remote Desktop Session Host server.

Discover Processes via “Get-Process” PowerShell Command (T1057): This scenario leverages the Get-Process Powershell cmdlet to gather detailed information about running processes on a compromised Windows system.

Verify Internet Connection via “tracert” Command (T1016.001): This scenario executes the tracert command to gather information about the topology of the network.

Domain Controller Remote System Discovery via “Get-AdComputer” Powershell Command (T1018): This scenario executes the Get-AdComputer Powershell cmdlet to gather information about other systems that can be used for lateral movement.

Discover Windows Capabilities via “Get-WindowsCapability” PowerShell Command (T1082): This scenario executes the Get-WindowsCapability Powershell cmdlet to obtain the Windows capabilities intalled on the local host.

Wrap Up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Sandworm. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.