A sophisticated cyber espionage campaign attributed to Russian-origin threat actors has targeted organizations in Ukraine, with the primary objectives of siphoning sensitive data and maintaining long-term persistent access to compromised networks. A detailed report from the Symantec and Carbon Black Threat Hunter Team has brought these activities to light, revealing a methodical approach focused on stealth and evasion.

The attackers employed a strategy centered on living-off-the-land (LotL) tactics, which involves using legitimate, pre-existing tools and processes within the target’s environment to carry out malicious actions. By leveraging these dual-use tools and deploying minimal custom malware, the threat actors successfully reduced their digital footprint, allowing them to operate undetected for extended periods.

Targeted Entities and Intrusion Timelines

The investigation detailed intrusions against at least two significant Ukrainian entities. A large business services organization was compromised for a duration of two months, indicating a deep and sustained intelligence-gathering operation. In a separate incident, a local government entity in the country was targeted for a week. These attacks underscore the focus on both commercial and governmental sectors within Ukraine.

Initial Access and Web Shell Deployment

According to the report, the initial point of entry for the business services organization was its public-facing servers. The Broadcom-owned cybersecurity teams stated, “The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities.” This method allowed the attackers to establish a foothold from which they could escalate their activities. One of the specific web shells used in this attack was identified as Localolive. This tool was previously flagged by Microsoft as being used by a sub-group of Russian state-sponsored actors, linking this campaign to known threat groups.

Source: https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html