CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Timeline

  1. 06.11.2025 17:31 3 articles · 20d ago

    RomCom Exploits WinRAR 0-Day in Attacks on European and Canadian Sectors

    RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that's responsible for installing a loader, which then fetches additional malware. The fake update payload allows the threat actors to run commands on the compromised machine by means of a reverse shell established to a command-and-control (C2) server. This includes conducting reconnaissance and dropping a custom Python backdoor codenamed VIPERTUNNEL. Also delivered is a RomCom-linked DLL loader that launches the Mythic Agent, a crucial component of the cross-platform, post-exploit, red teaming framework.

    Show sources
    Open in new tab
  2. 06.11.2025 12:01 3 articles · 20d ago

    Sandworm Deploys Data-Wiping Malware Against Ukrainian Sectors

    Sandworm continued destructive campaigns in Ukraine, launching wiper malware ZEROLOT and Sting aimed at an unnamed university in April 2025. The UAC-0099 group conducted initial access operations and transferred validated targets to Sandworm for follow-up activity. These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine. Sandworm, also known as APT44, Telebots, Voodoo Bear, Iridium, Seashell Blizzard, and Iron Viking, has been associated with Russia's military intelligence service’s (GRU) unit MUN 74455 by several cybersecurity companies and government agencies. ESET assessed that Sandworm’s likely objective for deploying new wipers was to weaken the Ukrainian economy.

    Show sources
    Open in new tab
  3. 29.10.2025 13:51 4 articles · 28d ago

    Russian Actors Target Ukrainian Organizations Using Living-Off-the-Land Tactics

    InedibleOchotense, a Russia-aligned threat activity cluster, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. The Kalambur backdoor uses the Tor network for command-and-control and enables remote access via RDP. InedibleOchotense is assessed to share tactical overlaps with a campaign involving the BACKORDER backdoor and is linked to the Sandworm (APT44) hacking group. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sanctions imposed on Russian bulletproof hosting providers Media Land, ML.Cloud, and Aeza Group over ransomware support

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) providers Media Land, ML.Cloud, and Aeza Group, along with their executives, for supporting ransomware gangs and cybercrime operations. Media Land's infrastructure has been used by groups like LockBit, BlackSuit, and Play, as well as in DDoS attacks against U.S. companies and critical infrastructure. The sanctions target four executives, including Aleksandr Volosovik, Kirill Zatolokin, Yulia Pankova, and Andrei Kozlov, freezing their assets and exposing transactions with them to secondary sanctions. Additionally, the UK-registered Hypercore, a front for Aeza Group, was also sanctioned. The sanctions aim to disrupt the services that enable cybercriminals to operate with impunity, targeting both the providers and their financial backers. Five Eyes agencies released joint guidance to help mitigate cybercriminal activity using BPH infrastructure, advising traffic analysis, filtering, and customer verification. The coordinated sanctions will seize property and businesses in the US, UK, and Australia, making it harder for the entities to transact with the West through legitimate banking channels.

Open in new tab

Cisco IOS XE devices in Australia targeted by BadCandy webshell

The Australian government has warned of ongoing cyberattacks targeting unpatched Cisco IOS XE devices, exploiting the CVE-2023-20198 vulnerability to install the BADCANDY webshell. This allows attackers to execute commands with root privileges. The flaw was patched in October 2023, but many devices remain unpatched, leading to persistent infections. Over 400 devices were potentially compromised since July 2025, with over 150 still infected as of late October 2025. The Australian Signals Directorate (ASD) is actively notifying victims and providing mitigation guidance. The attacks are attributed to state-sponsored cyber-actors, including the Chinese state actor Salt Typhoon. The ASD has noted that the BADCANDY webshell has been actively exploited since October 2023, with ongoing attacks in 2024 and 2025. The ASD has detected re-exploitation on devices for which notifications were previously issued. The ASD recommends reviewing running configurations for unexpected accounts and unknown tunnel interfaces, and advises reviewing TACACS+ AAA command accounting logging for configuration changes.

Open in new tab

Atroposia malware-as-a-service platform discovered

A new malware-as-a-service (MaaS) platform named Atroposia offers cybercriminals a remote access trojan (RAT) with capabilities for persistent access, evasion, data theft, and local vulnerability scanning. The malware is available for a $200 monthly subscription and includes advanced features such as hidden remote desktop, file system control, data exfiltration, clipboard theft, credential theft, cryptocurrency wallet theft, and DNS hijacking. Atroposia was first identified by researchers at Varonis on October 15, 2025, and has been observed being promoted on underground forums. The platform includes modules for hidden remote desktop sessions, file management, data exfiltration, credential theft, clipboard monitoring, DNS hijacking, and local vulnerability scanning. The vulnerability scanner audits missing patches, unsafe settings, and vulnerable software, allowing attackers to prioritize exploits. The platform can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit. SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, while MatrixPDF weaponizes ordinary PDF files to bypass email filters. Atroposia uses encrypted command and control (C2) servers to foil traffic inspection and automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.

Open in new tab

PhantomCaptcha Campaign Targets Ukraine Aid Groups

A coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign delivered a remote access trojan (RAT) using a WebSocket for command-and-control (C2). The attack took place on October 8, 2025, and impersonated the Ukrainian President's Office, using weaponized PDFs and fake Zoom meetings to trick victims into executing malicious PowerShell commands. The malware performed reconnaissance and enabled remote command execution and data exfiltration. The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations. The malware was hosted on Russian-owned infrastructure and connected to a remote WebSocket server for C2 operations. The campaign took six months to prepare and involved a sophisticated multi-stage spear-phishing operation, with the weaponized PDF appearing as a legitimate governmental communique. The attack chain included a heavily obfuscated PowerShell downloader to bypass signature-based defenses and hinder analysis. The second-stage payload collected various user data, which was XOR-encrypted and sent to the C2 server. The final payload was a lightweight PowerShell backdoor that repeatedly reconnected to the remote WebSocket server. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control, with the infrastructure active only for a single day.

Open in new tab

TwoNet hacktivists target critical infrastructure with realistic honeypot attack

The pro-Russian hacktivist group TwoNet, previously known for DDoS attacks, targeted a water treatment facility in September 2025. The facility was a realistic honeypot set up by Forescout researchers to observe adversaries’ movements. The attack demonstrated TwoNet’s ability to move from initial access to disruptive actions in approximately 26 hours. The group exploited default credentials, SQL vulnerabilities, and an XSS flaw to gain access and disrupt operations. They created a new user account, displayed a hacking message, and disabled real-time updates and alarms. The intrusion was detected and logged by Forescout researchers monitoring the honeypot. TwoNet publicly claimed responsibility for the attack on its Telegram channel. The attack originated from an IP address linked to a German hosting provider, and the attacker used the Firefox browser on the Linux operating system. The attacker conducted defacement, process disruption, manipulation, and evasion activities. TwoNet has expanded its activities to include targeting HMI and SCADA interfaces, publishing personal details of personnel, and offering cybercrime services. The group has also ceased operations as of September 30, 2025, according to a message in an affiliated group, CyberTroops.

Open in new tab