Russian hackers’ adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country’s State Service for Special Communications and Information Protection (SSSCIP) said.
“Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there,” the agency said in a report published Wednesday.
SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined.
One notable attack observed involved UAC-0219’s use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country. There is evidence to suggest that the PowerShell data-stealing malware was developed using AI tools.
Some of the other campaigns registered against Ukraine are listed below –
- Phishing campaigns orchestrated by UAC-0218 targeting defense forces to deliver HOMESTEEL using booby-trapped RAR archives
- Phishing campaigns orchestrated by UAC-0226 targeting organizations involved in the development of innovations in the defense industrial sector, local government bodies, military units, and law enforcement agencies to distribute a stealer called GIFTEDCROOK
- Phishing campaigns orchestrated by UAC-0227 targeting local authorities, critical infrastructure facilities, and Territorial Recruitment and Social Support Centers (TRCs and SSCs) that leverage ClickFix-style tactics or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer
- Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that sent email messages containing links to a website masquerading as ESET to deliver a C#-based backdoor named Kalambur (aka SUMBUR) under the guise of a threat removal program
SSSCIP said it also observed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443 and CVE-2025-27915) webmail software to conduct zero-click attacks.
“When exploiting such vulnerabilities, attackers typically injected malicious code that, through the Roundcube or Zimbra API, gained access to credentials, contact lists, and configured filters to forward all emails to attacker-controlled mailboxes,” SSSCIP said.
“Another method of stealing credentials using these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password input fields, where the attribute autocomplete=”on” was set. This allowed the fields to be auto-filled with data stored in the browser, which was then exfiltrated.”
The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing its cyber operations in conjunction with kinetic attacks on the battlefield, with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, internet service providers, and research sectors.
Furthermore, several threat groups targeting Ukraine have resorted to abusing legitimate services, such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or turn them into a data exfiltration channel.
“The use of legitimate online resources for malicious purposes is not a new tactic,” SSSCIP said. “However, the number of such platforms exploited by Russian hackers has been steadily increasing in recent times.”
