Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks.
The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week.
The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time.
“The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities,” the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News.
One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the Russia-linked Sandworm crew as part of a multi-year campaign codenamed BadPilot. LocalOlive is designed to facilitate the delivery of next-stage payloads like Chisel, plink, and rsockstun. It has been utilized since at least late 2021.
Early signs of malicious activity targeting the business services organization date back to June 27, 2025, with the attackers leveraging the foothold to drop a web shell and use it to conduct reconnaissance. The threat actors have also been found to run PowerShell commands to exclude the machine’s Downloads from Microsoft Defender Antivirus scans, as well as set up a scheduled task to perform a memory dump every 30 minutes.
Over the next couple of weeks, the attackers carried out a variety of actions, including –
- Save a copy of the registry hive to a file named 1.log
- Dropping more web shells
- Using the web shell to enumerate all files in the user directory
- Running a command to list all running processes beginning with “kee,” likely with the goal of targeting the KeePass password storage vault
- Listing all active user sessions on a second machine
- Running executables named “service.exe” and “cloud.exe” located in the Downloads folder
- Running reconnaissance commands on a third machine and performing a memory dump using the Microsoft Windows Resource Leak Diagnostic tool (RDRLeakDiag)
- Modifying the registry permits RDP connections to allow inbound RDP connections
- Running a PowerShell command to retrieve information about the Windows configuration on a fourth machine
- Running RDPclip to gain access to the clipboard in remote desktop connections
- Installing OpenSSH to facilitate remote access to the computer
- Running a PowerShell command to allow TCP traffic on port 22 for the OpenSSH server
- Creating a scheduled task to run an unknown PowerShell backdoor (link.ps1) every 30 minutes using a domain account
- Running an unknown Python script
- Deploying a legitimate MikroTik router management application (“winbox64.exe“) in the Downloads folder
Interestingly,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
