Russian-origin Ukraine web shell and LotL intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
The Russian-origin campaign targeted organizations in Ukraine with web shells, living-off-the-land tactics, and dual-use tools to keep persistent access and steal sensitive data. It affected a business services organization for two months and a local government entity for a week. The operators relied on stealthier Windows-native activity to reduce their footprint and stay undetected.
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
H score50
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
H score39
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
H score38
First: 09.03.2026 09:21
Last: 09.03.2026 09:21
Sources 1
About this happening:
A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
CampaignAbout this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
Timeline
-
29.10.2025 13:51 1 articles · 8mo ago
Attackers use web shells to reach a Ukrainian business services network
Exploitation ObservedOn June 27, 2025, attackers gained access to a large business services organization in Ukraine by deploying web shells on public-facing servers and used the foothold to conduct reconnaissance inside the compromised network.
Show sources
- Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics — thehackernews.com — 29.10.2025 13:51
-
29.10.2025 13:51 2 articles · 8mo ago
Symantec and Carbon Black detail Russian-origin intrusions against Ukrainian organizations
Initial DisclosureSymantec and Carbon Black reported Russian-origin threat actors targeting Ukrainian organizations with web shells, living-off-the-land (LotL) tactics, and dual-use tools to maintain persistent access and steal credentials. They said the activity hit a large business services organization for two months and a local government entity for a week, and that Localolive had been used in the intrusion even though the intrusion could not be tied conclusively to Sandworm and appeared Russian in origin.
Show sources
- Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics — thehackernews.com — 29.10.2025 13:51
- Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics — thehackernews.com — 29.10.2025 13:51