Sandworm (also tracked as APT44, Seashell Blizzard, and Voodoo Bear) conducted intrusions against Ukrainian organizations using exploited web services and a custom webshell called LocalOlive, then relied on living-off-the-land techniques to conduct reconnaissance, persistence, and credential theft. The campaign and associated emulation highlight specific TTPs—including LSASS dumping, scheduled task persistence, and…