Find notable cyber news and cases, enriched with sources, timelines, and signals.

Russian-origin Ukraine web shell and LotL intrusion campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The Russian-origin campaign targeted organizations in Ukraine with web shells, living-off-the-land tactics, and dual-use tools to keep persistent access and steal sensitive data. It affected a business services organization for two months and a local government entity for a week. The operators relied on stealthier Windows-native activity to reduce their footprint and stay undetected.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
H score50 First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

CL-UNK-1068 years-long espionage campaign targeting Asian organizations

Campaign
H score38 First: 09.03.2026 09:21 Last: 09.03.2026 09:21 Sources 1

About this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...

Timeline

  1. 29.10.2025 13:51 1 articles · 8mo ago

    Attackers use web shells to reach a Ukrainian business services network

    Exploitation Observed

    On June 27, 2025, attackers gained access to a large business services organization in Ukraine by deploying web shells on public-facing servers and used the foothold to conduct reconnaissance inside the compromised network.

    Show sources
  2. 29.10.2025 13:51 2 articles · 8mo ago

    Symantec and Carbon Black detail Russian-origin intrusions against Ukrainian organizations

    Initial Disclosure

    Symantec and Carbon Black reported Russian-origin threat actors targeting Ukrainian organizations with web shells, living-off-the-land (LotL) tactics, and dual-use tools to maintain persistent access and steal credentials. They said the activity hit a large business services organization for two months and a local government entity for a week, and that Localolive had been used in the intrusion even though the intrusion could not be tied conclusively to Sandworm and appeared Russian in origin.

    Show sources