The adoption of artificial intelligence (AI) by Russian hackers in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country’s Special Service for Communications and Information Security (SSSCIP) said.
“Hackers now use it not only to generate phishing messages, but some of the malware samples we analyzed show clear signs of originating with AI – and the attackers are certainly not going to stop there,” the agency said in a report published Wednesday.
SSSCIP said 3,018 cyber incidents were recorded during the period, up from 2,575 in the second half of 2024 (H2 2024). An increase in attacks on local authorities and military entities was observed compared to the second half of 2024, while attacks targeting the government and energy sectors declined.
One notable attack involved the use of malware called WRECKSTEEL by UAC-0219 in attacks on state administration bodies and critical infrastructure in the country. There is evidence that the PowerShell data-stealing malware was developed using AI tools.
Some other operations registered against Ukraine are listed below –
- Phishing campaign run by UAC-0218 targets Defense Forces using booby-trapped RAR archives to distribute HomeSteel
- Phishing campaigns conducted by UAC-0226 target organizations involved in the development of innovations in the defense industrial sector, local government bodies, military units, and law enforcement agencies to distribute a steal called GIFTEDCROOK.
- Phishing campaigns conducted by UAC-0227 target local authorities, critical infrastructure, and Territorial Recruitment and Social Support Centers (TRCs and SSCs), leveraging ClickFix-style tactics or SVG file attachments to distribute stealers such as Amatera Stealer and Strela Stealer.
- A phishing campaign conducted by UAC-0125, a sub-cluster associated with Sandworm, sent email messages containing links to a website masquerading as ESET to distribute a C#-based backdoor named SUMBUR under the guise of a threat removal program.
SSSCIP said it has discovered cross-site scripting flaws in Roundcube (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443) by Russia-linked APT28 (aka UAC-0001) actors. Also saw. CVE-2025-27915) Webmail software to conduct zero-click attacks.
“Exploiting such vulnerabilities, attackers typically inject malicious code via the Roundcube or Zimbra API to gain access to credentials, contact lists, and configure filters to forward all emails to attacker-controlled mailboxes,” SSSCIP said.
“Another way to steal credentials using these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password input fields, where the attribute autocomplete=”on” was set. This allowed the fields to be auto-filled with data stored in the browser, which was then exfiltrated.
The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing its cyber operations with kinetic attacks on the battlefield, with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, Internet service providers, and research sectors.
Additionally, several threat groups targeting Ukraine have exploited legitimate services such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, IPFS.io, Moky.io to host malware or phishing pages or turn them into data exfiltration channels. Has been misused.
“The use of legitimate online resources for malicious purposes is not a new tactic,” SSSCIP said. “However, the number of such platforms used by Russian hackers has been steadily increasing in recent days.”
