Oct 09, 2025Ravie LakshmananArtificial Intelligence / Malware
Russian hackers’ adoption of synthetic intelligence (AI) in cyber assaults towards Ukraine has reached a brand new stage within the first half of 2025 (H1 2025), the nation’s State Service for Particular Communications and Data Safety (SSSCIP) mentioned.
“Hackers now make use of it not solely to generate phishing messages, however a few of the malware samples we have now analyzed present clear indicators of being generated with AI – and attackers are actually not going to cease there,” the company mentioned in a report revealed Wednesday.
SSSCIP mentioned 3,018 cyber incidents had been recorded through the time interval, up from 2,575 within the second half of 2024 (H2 2024). Native authorities and navy entities witnessed a rise in assaults in comparison with H2 2024, whereas these concentrating on authorities and power sectors declined.
One notable assault noticed concerned UAC-0219’s use of malware known as WRECKSTEEL in assaults geared toward state administration our bodies and significant infrastructure amenities within the nation. There’s proof to counsel that the PowerShell data-stealing malware was developed utilizing AI instruments.
Among the different campaigns registered towards Ukraine are listed beneath –
Phishing campaigns orchestrated by UAC-0218 concentrating on protection forces to ship HOMESTEEL utilizing booby-trapped RAR archives
Phishing campaigns orchestrated by UAC-0226 concentrating on organizations concerned within the improvement of improvements within the protection industrial sector, native authorities our bodies, navy items, and legislation enforcement businesses to distribute a stealer known as GIFTEDCROOK
Phishing campaigns orchestrated by UAC-0227 concentrating on native authorities, essential infrastructure amenities, and Territorial Recruitment and Social Help Facilities (TRCs and SSCs) that leverage ClickFix-style ways or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer
Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that despatched e mail messages containing hyperlinks to a web site masquerading as ESET to ship a C#-based backdoor named Kalambur (aka SUMBUR) below the guise of a risk removing program
SSSCIP mentioned it additionally noticed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443 and CVE-2025-27915) webmail software program to conduct zero-click assaults.
“When exploiting such vulnerabilities, attackers sometimes injected malicious code that, by means of the Roundcube or Zimbra API, gained entry to credentials, contact lists, and configured filters to ahead all emails to attacker-controlled mailboxes,” SSSCIP mentioned.
“One other methodology of stealing credentials utilizing these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password enter fields, the place the attribute autocomplete=”on” was set. This allowed the fields to be auto-filled with information saved within the browser, which was then exfiltrated.”
The company additionally revealed that Russia continues to interact in hybrid warfare, synchronizing its cyber operations together with kinetic assaults on the battlefield, with the Sandworm (UAC-0002) group concentrating on organizations within the power, protection, web service suppliers, and analysis sectors.
Moreover, a number of risk teams concentrating on Ukraine have resorted to abusing reliable providers, similar to Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Employees, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or flip them into an information exfiltration channel.
“Using reliable on-line assets for malicious functions shouldn’t be a brand new tactic,” SSSCIP mentioned. “Nevertheless, the variety of such platforms exploited by Russian hackers has been steadily rising in current occasions.”
