A recently uncovered two-month intrusion campaign targeting a large Ukrainian business services organization and a week-long attack against a local government entity have exposed the evolving tactics of Russian-linked threat actors.
The attackers demonstrated sophisticated operational security by relying primarily on Living-off-the-Land tactics and dual-use tools rather than deploying conventional malware, thereby maintaining persistent access while minimizing detection risks across compromised networks.
The attackers gained initial access to the business services organization on June 27, 2025, by deploying webshells on public-facing servers, likely through exploitation of unpatched vulnerabilities.
One of the webshells identified was Localolive, which Microsoft associates with a sub-group of Russian Sandworm also known as Seashell Blizzard a military intelligence unit of Russia’s GRU that specializes in destructive operations and IoT targeting campaigns.
While independent confirmation of Sandworm attribution remains pending, the attack patterns and tools strongly suggest Russian origin.
Advanced Reconnaissance and Credential Harvesting
Following initial compromise, the threat actors executed a methodical reconnaissance phase, deploying multiple webshells and executing reconnaissance commands, including whoami, tasklist, systeminfo, and domain enumeration queries.
The attackers demonstrated technical sophistication by modifying Windows Defender configurations to exclude the Downloads folder from scanning, a clear indication they had obtained elevated privileges to prevent detection of subsequently downloaded tools.
The attackers created scheduled tasks executing every 30 minutes to perform memory dumps using the Windows Resource Leak Diagnostic tool (rdrleakdiag) and rundll32.exe with comsvcs.dll to extract credentials from process memory.
This technique proved particularly effective on systems where attackers identified KeePass password vault processes. The attackers also attempted to extract registry hives, targeting the SYSTEM hive for credential material and sensitive configuration data.
Establishing Persistence Through Legitimate Tools
To establish long-term persistence, attackers deployed OpenSSH and configured RDP access without pre-authentication by modifying registry settings.
They created firewall rules enabling inbound connections on port 22 and disabled Windows security features that might detect unauthorized remote access attempts. PowerShell backdoors were scheduled to run every 30 minutes under domain accounts, ensuring continued access even after system reboots.
Notably, the attackers deployed legitimate Mikrotik router management software (winbox64.exe) in the Downloads folders, the same filename appearing in CERT-UA reports documenting Sandworm activity from 2024.
They also executed suspicious executables mimicking webshell filenames (“service.exe,” “cloud.exe”) and ran encoded Python scripts of undetermined purpose, likely designed for additional exploitation capabilities.
The intrusion revealed attackers’ in-depth knowledge of Windows native tools and architecture. Despite deploying limited malware, the threat actors successfully harvested sensitive information and maintained a persistent network presence for approximately two months.
The campaign underscores how skilled attackers can advance objectives using legitimate system utilities while circumventing traditional detection mechanisms, a stark reminder for organizations to implement robust endpoint detection and response solutions alongside comprehensive vulnerability management programs.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
_imresizer.jpg?resize=1068,580&ssl=1&description=Russian Hackers - A recently uncovered two-month intrusion campaign targeting a large Ukrainian business services organization and a week.){kind=link}