Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Russian-origin Ukraine web shell and LotL intrusion campaign

Campaign
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

The Russian-origin campaign targeted organizations in Ukraine with web shells, living-off-the-land tactics, and dual-use tools to keep persistent access and steal sensitive data. It affected a business services organization for two months and a local government entity for a week. The operators relied on stealthier Windows-native activity to reduce their footprint and stay undetected.

Related Happenings

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

CL-UNK-1068 years-long espionage campaign targeting Asian organizations

Campaign
First: 09.03.2026 09:21 Last: 09.03.2026 09:21 Sources 1

About this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...

Open Happening

UAC-0050 spear-phishing campaign targeting European financial institutions

Campaign
First: 24.02.2026 16:21 Last: 24.02.2026 16:21 Sources 1

About this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...

Open Happening

Timeline

  1. 29.10.2025 13:51 1 articles · 7mo ago

    Attackers use web shells to reach a Ukrainian business services network

    Exploitation Observed

    On June 27, 2025, attackers gained access to a large business services organization in Ukraine by deploying web shells on public-facing servers and used the foothold to conduct reconnaissance inside the compromised network.

    Show sources
    Open in new tab
  2. 29.10.2025 13:51 2 articles · 7mo ago

    Symantec and Carbon Black detail Russian-origin intrusions against Ukrainian organizations

    Initial Disclosure

    Symantec and Carbon Black reported Russian-origin threat actors targeting Ukrainian organizations with web shells, living-off-the-land (LotL) tactics, and dual-use tools to maintain persistent access and steal credentials. They said the activity hit a large business services organization for two months and a local government entity for a week, and that Localolive had been used in the intrusion even though the intrusion could not be tied conclusively to Sandworm and appeared Russian in origin.

    Show sources
    Open in new tab