From Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine - The Hacker News

From Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine Ravie LakshmananOct 09, 2025Artificial Intelligence / Malware Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there," the agency said in a report published Wednesday. SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined. One notable attack observed involved UAC-0219's use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country. There is evidence to suggest that the PowerShell data-stealing malware was developed using AI tools. Some of the other campaigns registered against Ukraine are listed below - Phishing campaigns orchestrated by UAC-0218 targeting defense forces to deliver HOMESTEEL using booby-trapped RAR archives  Phishing campaigns orchestrated by UAC-0226 targeting organizations involved in the development of innovations in the defense industrial sector, local government bodies, military units, and law enforcement agencies to distribute a stealer called GIFTEDCROOK Phishing campaigns orchestrated by UAC-0227 targeting local authorities, critical infrastructure facilities, and Territorial Recruitment and Social Support Centers (TRCs and SSCs) that leverage ClickFix-style tactics or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that sent email messages containing links to a website masquerading as ESET to deliver a C#-based backdoor named Kalambur (aka SUMBUR) under the guise of a threat removal program SSSCIP said it also observed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443 and CVE-2025-27915) webmail software to conduct zero-click attacks. "When exploiting such vulnerabilities, attackers typically injected malicious code that, through the Roundcube or Zimbra API, gained access to credentials, contact lists, and configured filters to forward all emails to attacker-controlled mailboxes," SSSCIP said. "Another method of stealing credentials using these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password input fields, where the attribute autocomplete='on' was set. This allowed the fields to be auto-filled with data stored in the browser, which was then exfiltrated." The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing its cyber operations in conjunction with kinetic attacks on the battlefield, with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, internet service providers, and research sectors. Furthermore, several threat groups targeting Ukraine have resorted to abusing legitimate services, such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or turn them into a data exfiltration channel. "The use of legitimate online resources for malicious purposes is not a new tactic," SSSCIP said. "However, the number of such platforms exploited by Russian hackers has been steadily increasing in recent times." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  APT28, artificial intelligence, critical infrastructure, cybersecurity, data breach, Malware, Phishing, Sandworm Trending News Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Load More ▼ Popular Resources [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility