Russian APTs Exploit LotL Techniques in Ukraine Cyber Attacks, Deploying Sandworm-Linked Webshell and Credential Dumping
Ddos 
The Symantec Threat Hunter Team has uncovered two major cyber intrusions in Ukraine attributed to Russian-aligned threat actors, revealing an ongoing campaign aimed at data theft and persistence across business and government networks.
The operations, conducted between late June and August 2025, relied on minimal malware deployment and extensive use of Living-off-the-Land (LotL) techniques — abusing legitimate Windows utilities and administrative tools to blend malicious activity into normal network behavior.
Symantec reports that attackers first gained access by deploying webshells on public-facing servers, likely exploiting unpatched vulnerabilities. One of the webshells, Localolive, is associated with a sub-group of the Sandworm (Seashell Blizzard) APT, a unit of Russia’s GRU military intelligence known for disruptive cyber operations.
The report notes:
“One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group (aka Seashell Blizzard)… While we have been unable to independently confirm a link to Sandworm, the attacks did appear to be Russian in origin.”
Sandworm has previously conducted high-profile attacks including the 2015–2016 Ukrainian power grid disruptions, VPNFilter router malware, and the AcidRain wiper used against Viasat modems at the onset of the 2022 invasion.
Rather than deploying custom malware, the attackers focused on LotL commands and scripts to maintain access, gather intelligence, and exfiltrate credentials.
During the June 27 breach, threat actors used cmd.exe and PowerShell to run reconnaissance commands such as whoami, systeminfo, and net group /domain. They also issued commands to disable Windows Defender scanning of specific directories:
This tactic, Symantec explains, “was done to prevent detection of any tools downloaded to that file path.”
Attackers later created scheduled tasks to perform memory dumps every 30 minutes, using the Windows component comsvcs.dll to collect credential data.
One such command observed:
Over several weeks, the attackers expanded from one compromised server to multiple systems, maintaining persistence across the network.
On July 2, they ran PowerShell scripts to identify KeePass password manager processes, likely to extract stored credentials. Later activity involved dumping Windows registry hives, executing custom PowerShell backdoors, and using rdrleakdiag, the Windows Resource Leak Diagnostic tool, to collect full memory dumps — an uncommon but stealthy tactic.
The report notes that “the attackers demonstrated an in-depth knowledge of Windows native tools and showed how a skilled attacker can advance an attack and steal sensitive information, such as credentials, while leaving a minimal footprint on the targeted network.”
Although Symantec stopped short of directly attributing the operation to Sandworm, the tactics and tooling closely mirror known GRU-linked campaigns. The deployment of Localolive webshells, PowerShell backdoors, and the Winbox64.exe router management tool — previously seen in CERT-UA reports — suggests a continuation of Russian cyber espionage against Ukrainian institutions.
Researchers observed attackers using legitimate network utilities such as RDPclip, OpenSSH, and Winbox, possibly to establish redundant access and lateral movement channels across compromised hosts.
The use of scheduled tasks, registry modifications, and firewall rule changes indicate the attackers’ efforts to sustain long-term footholds despite minimal malware usage.
Related Posts:
- Chinese APTs Shift Tactics to Evade Detection and Maintain Stealth
- Mandiant Unveils Russian Cyber Espionage in Ukraine’s Grid Disruption
- Sandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave
- Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign
Donate