Russian Hackers Launch Stealth Cyber Attack on Ukraine Using “Living-Off-the-Land” Tactics

Russian hackers are once again making headlines — this time for a stealthy, highly sophisticated cyber espionage campaign against Ukrainian organizations. But this wasn’t your typical malware-driven cyberattack. Instead, the operation leaned on “Living-Off-the-Land” tactics — using legitimate tools and system functions already built into Windows to quietly infiltrate, spy, and persist without leaving obvious traces.

The findings come from cybersecurity researchers at Symantec and Carbon Black’s Threat Hunter Team. Their investigation uncovered an ongoing campaign that targeted a large business services organization and a local government entity in Ukraine. These attacks lasted for weeks — even months — allowing the intruders to collect sensitive data and maintain stealthy access to compromised systems.

The initial breach vector? Web shells planted on public-facing servers. The attackers likely exploited one or more unpatched vulnerabilities to gain access. Once inside, they used a tool called LocalOlive — previously linked by Microsoft to a Russian state-sponsored group known as Sandworm — to deploy additional payloads like Chisel, plink, and rsockstun. These tools are commonly used to establish covert communications, tunnel data, and manage remote access operations.

What makes this operation so dangerous is its reliance on legitimate administrative tools — PowerShell, Windows Task Scheduler, and Remote Desktop Protocol (RDP). By leveraging these built-in components, the attackers avoided using traditional malware that could be easily detected by antivirus software. Instead, their activities looked almost indistinguishable from normal IT maintenance or system administration tasks.

The attackers even modified system registry settings to enable RDP connections, ran PowerShell scripts to disable antivirus scans in specific folders, and used RDPclip to access clipboard data across remote desktop sessions. They also installed OpenSSH and configured Windows firewalls to allow traffic on port 22, ensuring continuous remote access under the guise of normal operations.

This method of “blending in” is known as Living-Off-the-Land (LotL). It’s one of the stealthiest approaches in modern cyber espionage — one that bypasses traditional defenses and forces cybersecurity teams to focus on behavioral and anomaly-based detection.

Symantec and Carbon Black researchers noted several indicators suggesting Russian involvement, including the use of LocalOlive and winbox64.exe — a legitimate MikroTik router management tool previously observed in a 2024 Sandworm campaign targeting Ukraine’s energy and water infrastructure. While the analysts didn’t find concrete evidence directly tying this new attack to Sandworm, the similarities in tool usage, tactics, and targeting strongly indicate a Russian origin.

Around the same time, a separate Russian-linked threat group known as Gamaredon was exploiting a critical WinRAR vulnerability, tracked as CVE-2025-8088. This flaw allowed attackers to create malicious RAR archives that automatically deployed malware upon extraction — no user action required beyond opening a seemingly harmless PDF.

This surge in Russian cyber operations appears to align with a broader strategic evolution within the country’s digital warfare landscape. According to new intelligence from Recorded Future, the Russian cybercriminal underground is undergoing a dramatic transformation. International law enforcement actions — such as Operation Endgame — are reshaping the ecosystem, pushing cybercriminals to decentralize and, in some cases, operate under direct government oversight.

Leaked chats and internal documents show that senior members of several Russian hacking groups maintain relationships with intelligence services, sharing stolen data or performing specific cyber-espionage tasks in exchange for protection. This relationship — often referred to as the “dark covenant” — is a mix of cooperation, coercion, and control.

It allows the Russian state to harness criminal hacking talent when it suits national interests, while cracking down on those who become politically inconvenient or draw unwanted attention. The result is a fractured cyber landscape marked by paranoia, shifting allegiances, and an ever-blurring line between espionage and organized crime.

For defenders and analysts around the world, this means that traditional cyber threat models no longer apply. Attacks can now serve multiple masters: political influence, financial gain, and strategic intelligence collection — all at once.

The Ukrainian campaign serves as a real-world example of how modern cyber warfare operates in the shadows. Attackers no longer need flashy ransomware or destructive malware to inflict damage. They simply use what’s already available inside the target environment, moving quietly, collecting information, and remaining undetected for months.