Ukrainian organizations still heavily targeted by Russian attacks

Free, Unbiased, and Open threat intelligence

Ukrainian organizations still heavily targeted by Russian attacks

threat Profile

HIGH

Description

Russian-linked attackers conducted multi-month intrusions against Ukrainian organizations, including a two-month campaign against a business services organization and a week-long attack against a local government entity. The attackers deployed the Localolive webshell (associated with Sandworm/Seashell Blizzard) to gain initial access by exploiting unpatched vulnerabilities on public-facing servers. They relied heavily on Living-off-the-Land tactics and dual-use tools to maintain persistent access, harvest credentials, perform memory dumps, establish remote access via RDP and OpenSSH, and exfiltrate sensitive information while maintaining a minimal footprint. The intrusions involved reconnaissance, credential harvesting through memory dumps targeting KeePass, registry manipulation, firewall modifications, and deployment of PowerShell backdoors and suspicious executables across multiple compromised systems.

MITRE ATT&CK Techniques

T1190 T1505.003 T1059.001 T1087 T1082 T1018 T1003.001 T1552.001 T1562.001 T1053.005 T1021.001 T1021.004 T1219 T1027

Related Entities

Threat Actors

Sandworm

Malware

Localolive PowerShell backdoors

Indicators of Compromise (10)

636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb

Localolive Webshell

c2cf27810cc11ed7c6ae9f70f156f18cf3f73550ab5d675278e3b725fc88e2b0

Unknown executable (chrome.exe)

69cb709bffbeccea60776c49935acb41ecfb160973f1f11b195007c254c1c28c

Unknown executable (security.exe)

2866763ebd3124bfe9cf3f65d6341dda6bbb98e2653c98dd2f001f152e082291

Unknown executable (service.exe)

47e83dfd0f9680d2e9623fee92c0acc4db40ea4272edeb53164304620305a24f

Legitimate Microtik application (winbox64.exe) - Dual-use tool

185.145.245.209

Attacker-controlled IP address used to install webshell

8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b

Unknown executable (service.exe)

ciscoheartbeat.com

Malicious domain associated with the attack

6865685f75a64780aa24a05b267bea128bcc6efdc682fa2893e13a4f63e6d6e7

PowerShell backdoor (link.ps1)

cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7

PowerShell backdoor (link.ps1)

Metadata

Published

7 months ago

Views