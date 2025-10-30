Attacks involving living-off-the-land tactics and dual-use tools have been deployed by Russia-linked threat actors to exfiltrate data and ensure persistence in targeted Ukrainian organizations, The Hacker News reports.

Initial compromise of a Ukrainian business organization's public-facing server through webshells, including the Sandworm-linked Localolive webshell, in late June enabled reconnaissance and PowerShell command execution, as well as the creation of scheduled tasks, according to an analysis from the Symantec and Carbon Black Threat Hunter Team.

Threat actors then moved to save a registry hive copy, deploy additional webshells, conduct file enumeration, and deliver a legitimate MikroTik router management app within the next few weeks.

"The attackers demonstrated an in-depth knowledge of Windows native tools and showed how a skilled attacker can advance an attack and steal sensitive information, such as credentials, while leaving a minimal footprint on the targeted network," said researchers.

Such findings come after Ukrainian government entities were reported by Gen Threat Labs to have been targeted by Russian state-backed advanced persistent threat group Gamaredon in attacks involving the high-severity WinRAR path traversal flaw, tracked as CVE-2025-8088.