In the first part of Trustwave SpiderLabs’ Russia-Ukraine war blog series, we gave a brief look at our major findings as well as the main differences between how Russia and Ukraine wage attacks in the digital frontlines. In this part of our series, we shed light on how both countries target government entities, defense organizations, and even human targets as part of their overall strategy to win the war.
On December 19, 2024, Russian XakNet hackers executed one of the largest cyberattacks during the Ukraine-Russia war, targeting Ukrainian government entities.
Figure 1. XakNet claims responsibility for intruding into Ukrainian government infrastructures.
XakNet is hacktivist group that claims to consist of Russian patriotic volunteers and has carried out a range of cyber activities, including distributed denial-of-service (DDoS) attacks, system compromises, data leaks, and website defacements, primarily focused on Ukraine. The group coordinates its operations with other hacktivist groups and has connections to GRU-affiliated APT44 and APT28.
XakNet claimed that its initial compromise of the Ukrainian National Information Systems’ (nais.gov.ua) infrastructure allowed it to execute a secondary attack on the Ukrainian Ministry of Justice (minjust.gov.ua). The attackers claimed to have erased all records, including data from backup servers located in Poland. Due to the attack, key systems including property ownership records and personal identification data, were rendered inaccessible for days.
The attack compromised digital access to approximately 60 databases overseen by the Ministry of Justice. Although no official confirmation of data loss was provided, the incident highlighted vulnerabilities within Ukraine's digital infrastructure.
In July 2024, Google’s Threat Analysis Group observed Russian state-backed APT29’s watering hole attack against Mongolian government websites, targeting Android users using Google Chrome.
The group leveraged CVE-2024-5274, which allows arbitrary code execution inside Chromium sandbox. This was chained with CVE-2024-4671, which allows sandbox escape via a crafted HTML page. The CVE-2024-5274 exploit code used in this attack was similar to the NSO Group’s version observed in May 2024. NSO Group is a commercial spyware vendor that developed the infamous Pegasus software.
Trustwave SpiderLabs assesses that this campaign was likely part of a routine surveillance operation performed to advance Moscow’s geopolitical interests. However, the capability of using zero-day exploit chains against mobile devices is noteworthy. The presence of such specialized tools in the arsenal of Russian government-linked APT29 may be connected to activities observed by SpiderLabs in April 2024.
On April 6, 2024, the notorious pro-Russian group KillNet made a striking claim: they alleged to have possession of the infamous Pegasus spyware. According to its statement, the software was acquired from a former NSO Group employee who had been arrested. They further declared that Pegasus access was for sale at US$1.5 million, boasting unrestricted usage and asserting that the NSO Group had no capability to interfere with this version.
Figure 2. The KillNet’s Telegram channel reposted Deanon Club’s claims.
SpiderLabs could not verify the legitimacy of these claims. Meanwhile, Deanon Club, another hacking entity associated with KillNet, refused to provide any evidence, arguing that revealing proof would attract unwanted attention from law enforcement and NSO representatives.
Yet, having possession of the program is only part of the equation. Pegasus’s true power lies in its ability to exploit zero-day vulnerabilities, known as vectors. Without new vectors, which are rapidly patched upon discovery, the software's effectiveness diminishes significantly. These vectors are typically maintained by NSO or its legitimate clients, making them the most valuable component of the spyware ecosystem.
Adding another layer of intrigue, just two days later, KillNet and Deanon Club offered time-based access to the so-called Pegasus Panel, starting from US$200,000 for one week of access.
Figure 3. KillNet’s Telegram channel reposted Deanon Club’s statement offering time-based access to Pegasus.
In late February 2024, APT28 conducted multiple phishing campaigns impersonating government entities in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the US, as reported by IBM X-Force.
Phishing lures were crafted using internal and publicly available documents. The payload delivery mechanism leveraged the search-ms protocol query and custom WebDAV servers, ultimately leading to the execution of the MASEPIE backdoor, which would subsequentially install OCEANMAP and/or STEELHOOK.
Figure 4. The Infection mechanism was used in the APT28 campaign, leveraging ms-search protocol and WebDAV server. Source: Security Intelligence.
Figure 5. Phishing lure used by APT28. Source: Security Intelligence.
Earlier in February 2024, APT29 conducted a phishing campaign targeting German political parties, which Mandiant reported in March 2024. Consistent with APT29 operations extending back to 2021, the first-stage payload ROOTSAW (aka EnvyScout) was used to deliver a new backdoor called WINELOADER.
In the intricate landscape of cyber warfare between Russia and Ukraine, the emergence of the "Core Werewolf" group, also known as "Awaken Likho", or “PseudoGamaredon” has added a complex layer of intrigue. Since 2021, this group has been actively targeting Russian government agencies, but also defense and industrial enterprises. It protects its identity using dummy names to register domains and hosting services and uses techniques and methods that mimic those of the Russian APT Gamaredon. This blending approach not only complicates attribution but also demonstrates the group's adaptability in leveraging tools and tactics that mirror other advanced threat actors.
Figure 6. Lure documents used by Core Werewolf. Source: SpiderLabs.
One of the Core Werewolf’s signature methods involves the use of 7-Zip SFX that contains lure documents and a batch loader that leads to the installation of an UltraVNC-based backdoor. In campaigns observed since May 2024, SpiderLabs noticed Core Werewolf moving to a more advanced installation mechanism by using AutoIt. In September 2024, Kaspersky observed a new shift in the group’s methods: Instead of the UltraVNC binary, the MeshAgent implant was used. MeshAgent is a part of MeshCentral, an open-source, web-based platform for remote system management.
Figure 7. Batch setup script creating scheduled task persistence for a VNC-based backdoor. Source: SpiderLabs.
Figure 8. Attack chain leveraging AutoIt used by Core Werewolf. Source: SpiderLabs.
Aside from the sophisticated attacks leveraging malware, DDoS attacks have become a prominent tactic employed by pro-Russian hacktivist groups to disrupt Ukrainian systems, especially government websites. Pro-Russian groups such as KillNet, NoName057(16), Legion, and the Cyber Army of Russia have been at the forefront of DDoS campaigns.
Killnet, one of the most active groups, has targeted Ukrainian government websites, European Union agencies, and NATO members, as retaliation for supporting Ukraine. NoName057(16), on the other hand, focuses on political targets, such as Ukrainian and Western media outlets. Legion, a lesser-known group, specializes in targeting Ukrainian banking institutions and logistics providers. The Cyber Army of Russia acts as a loosely affiliated network of hacktivists mobilized through social media apps such as Telegram.
Figure 9. NoName057(16) claims DDoS attacks against Ukrainian entities and its allies targets. Source: SpiderLabs.
Attacks Against Russian Defense Enterprises – Sticky Werewolf
In the ongoing cyber conflict between Russia and Ukraine, pro-Ukrainian hackers have also developed and deployed innovative tools to advance their objectives. Sticky Werewolf is a pro-Ukrainian group focusing on espionage attacks against government agencies, military groups, and research institutes in Russia and Belarus.
On January 15, 2025, a phishing campaign targeted defense enterprises with emails allegedly sent by the Russian Ministry of Industry and Trade. The communication included two attachments: a decoy document and a malicious archive protected by a password: 2025.
Figure 10. A lure document found in phishing emails targeting defense contractors.
The archive contained two documents, one titled “список рассылки.docx” ("mailing list.docx") and another one, “Форма заполнения.pdf.exe” ("Form submission.pdf.exe.").
Figure 11. Contents of the password-protected RAR archive.
Trustwave SpiderLabs took a closer look at the payload delivery chain. An interesting technique was implemented in the PowerShell loader used to deliver the second-stage binary. It leveraged Bitbucket and GitHub repositories where payloads were hosted inside benign-looking JPEG images. These images contained special tags indicating the start and end of the Base64-encoded payloads. The loader randomly picks one of the payloads to download, and after decoding, loads it into memory.
Figure 12. Base64-encoded payload hidden inside a JPEG image. Source: SpiderLabs.
The second-stage payload is essentially an MSIL injector used to maintain persistence and deliver the second-stage payload, which is the Ozone Loader. Subsequently, the Ozone Loader connects to a predefined command-and-control (C2) server and downloads the Ozone Core module.
Figure 13. MSIL injector code is used for maintaining persistence and injecting the Ozone Loader. Source: SpiderLabs.
Figure 14. Sticky Werewolf attack chain leading to Ozone backdoor infection.
Ozone is a typical remote access trojan (RAT) client, allowing the attacker to remotely control compromised devices, install additional payloads, exfiltrate data, and manipulate files.
The deployment of Ozone by Sticky Wolf using a multi-stage delivery chain highlights the increasing sophistication of tactics used by pro-Ukrainian hackers to target Russian assets.
In December 2024, a sophisticated cyber espionage campaign targeted Ukrainian military personnel through a fraudulent version of the Army+ application – CERT-UA reported. The operation was attributed to the Russian state-sponsored APT44 (aka Sandworm). Attackers leveraged malicious installers to infect military systems and exfiltrate sensitive data via the Tor network.
The campaign involved creating phishing websites that closely resembled the legitimate Army+ app download page. These websites distributed a trojanized installer, which once executed, provided remote access to compromised systems.
Figure 15. Army+ campaign Infection chain. Source: CERT-UA.
The attackers used Nullsoft Scriptable Install System (NSIS), a widely used installer framework, to package the malware, allowing it to bypass basic security detections.
In December 2024, CERT-UA, Ukraine's governmental Computer Emergency Response Team, issued a critical advisory concerning targeted cyberattacks focused on Ukraine's defense forces and enterprises within the defense-industrial complex.
The campaign began with phishing emails sent on December 4, 2024, purportedly from the Ukrainian Union of Industrialists and Entrepreneurs (UUIE). The emails invited recipients to a conference in Kyiv that focused on transitioning Ukraine’s defense products to NATO technical standards. The subject line read: "Attention_Changes_02 - 1 - 437 dated 04.12.2024." These emails contained a malicious hyperlink disguised as an important attachment for conference participation. Clicking the link downloaded a shortcut file named лист_02 - 1 - 437.lnk (translated as "letter_02 - 1 - 437.lnk").
The initial attack chain is similar to the one used by APT28 in late February 2024, impersonating government entities in multiple countries including Ukraine, Poland, and the US, however, the later stage reassembles methods used by Gamaredon and a pro-Ukrainian group called Core Werewolf, which is known to mimic Gamaredon’s techniques.
Figure 16. Infection mechanism used against Ukrainian Military leveraging ms-search protocol and WebDAV server.
Upon opening the .LNK file hosted on an attacker-controlled WebDAV server, the multi-stage attack chain would be executed, leading to the deployment of MESHAGENT, a remote access tool providing attackers with full control over the compromised system.
In April 2024, CERT-UA reported a targeted campaign against Ukrainian defense forces. Attackers distributed a phishing message with .RAR attachments exploiting the CVE-2023-38831 vulnerability. Upon opening the archive, vulnerable victims would be infected with the COOKBOX backdoor. The attack was attributed to a Russia-affiliated group tracked as UAC-0149 or FlyingYeti.
Figure 17. A Signal phishing message containing a RAR attachment. Source: CERT-UA.
Anyone opening the archive using susceptible versions or WinRAR would lead to the execution of a batch deployment script leading to the installation of the COOKBOX backdoor. APDF lure document would also be presented to the user. COOKBOX is a PowerShell script that allows the attacker to load and execute PowerShell cmdlets.
Figure 18. Attack chain used in attacks against Ukraine's Defense Forces.
In February 2024, CERT-UA reported another UAC-0149 campaign targeting the Defense Forces of Ukraine. Attackers also leveraged the Signal messenger app and distributed an XLS document containing malicious macro among military personnel. The macro’s code was designed to download and launch a multistage downloader. This ultimately leads to the installation of the COOKBOX backdoor. The CERT-UA assessed that these attacks could have been prevented if security policies were configured correctly, especially to block MS Office applications from creating child processes.
Between March and April 2024, Microsoft Threat Intelligence observed that the Turla group was using the Amadey bot malware to deploy its backdoors, namely Tadvig and Kazuar. Turla (aka Secret Blizzard or Venomous Bear) is a Russian state-sponsored hacking group with ties to the Federal Security Service of the Russian Federation FSB.
Microsoft reported that several of the targeted devices had Microsoft Defender disabled during the initial infection, thus Tadvig and Kazuar implants were only observed weeks or even months after the initial malware deployment.
While Amadey is typically used for deploying cryptocurrency miners and executing broad, financially motivated attacks, Turla used it to gain an initial foothold for its espionage activities. This pivot highlights a growing trend where APT groups leverage existing infrastructure to mask their activities and complicate attribution by blending into the noise of common cyber threats.
In July 2023, CERT-UA talked about Turla’s cyber espionage campaign targeting Ukraine’s Defense Forces with the Kazuar backdoor. Based on the timestamps visible in the phishing emails used, the campaign took place in February 2023.
In 2024, pro-Russian cyber actors intensified their efforts to infiltrate and disrupt Ukraine's military operations and recruitment processes. Employing sophisticated tactics, techniques, and procedures (TTPs), these groups aimed to compromise military communications, gather intelligence, and undermine Ukraine's defense capabilities.
In a recent campaign, the Russian-linked group UNC5812 employed a hybrid strategy combining cyber espionage with influence operations to compromise Ukrainian military recruitment efforts. The group established a Telegram channel named "Civil Defense", purporting to offer free software to Ukrainian military recruits. This channel directed users to a website, civildefense[.]com.ua, which hosted malicious software tailored for both Windows and Android platforms.
Windows users were tricked into downloading malware variants such as SUNSPINNER and PURESTEALER, the latter being a known information-stealing tool.
Meanwhile, Android users were lured into installing an APK file that deployed CRAXSRAT, providing attackers with backdoor access to the infected device.
Figure 19. Updates on the Civil Defense Telegram channel, claiming updates for its Android application. Source: SpiderLabs.
Beyond malware distribution, UNC5812 utilized the "Civil Defense" Telegram channel to solicit videos depicting alleged misconduct by Ukrainian territorial recruitment centers. This content was intended to fuel anti-mobilization narratives and discredit the Ukrainian military, thereby undermining recruitment efforts and negatively impacting morale.
These targeted cyber operations underscore the persistent threat posed by pro-Russian actors to Ukraine's military infrastructure and military personnel.
The Joker DPR channel emerged on Telegram in October 2019, rapidly gaining a substantial following. It has been instrumental in spreading pro-Russian narratives, including claims of hacking Ukrainian military systems and exposing sensitive information. The channel's content frequently includes a mockery of Ukrainian military efforts and attempts to undermine the morale of Ukrainian soldiers and their allies.
Figure 20. Joker DPR claims to share secret report.
Another group, TrackANaziMerc, focuses on identifying and publicizing information about foreign volunteers supporting Ukraine. The channel often shares images and personal details of these individuals, especially emphasizing those purportedly killed in action.
By highlighting such losses, the channel aims to discourage foreign involvement and sow doubt about the effectiveness and safety of supporting Ukraine. These activities are emblematic of modern cyber warfare tactics, where information operations are utilized to achieve strategic objectives without direct military engagement.
Figure 21. The TrackANaziMerc Telegram channel claims that a UK citizen who supported Ukraine died.
The veracity of the content shared by these channels is often questionable. Many of the claims lack independent verification, and some may be entirely fabricated to serve propagandistic purposes. This deliberate spread of potentially false information is designed to erode trust, create confusion, and weaken the resolve of both military personnel and civilian supporters of Ukraine.
The efforts to demoralize enemy forces and their supporters highlight the significance of information control and the potent impact of propaganda in modern conflicts.
APT threat actors can leverage existing malware infections to advance their operations. Capitalizing on existing cybercriminal infrastructure without having to build one from scratch certainly increases operational efficiency, and helps conceal identities as initial intrusions may be misclassified as routine cybercrime. Attacks leveraging messaging apps like Signal or Telegram will likely become more prevalent as these allow threat actors to bypass any email security measures and directly interact with targets.
Organizations in critical sectors like defense should adopt multi-layered security strategies that combine advanced threat detection with proactive threat hunting.
Additionally, fostering collaboration between private cybersecurity firms and government agencies is crucial to identifying and mitigating cyber threats early.
Please join us in the next part of our series.