THE CORTEX PROTOCOL
🏠Home🚨Threats🧩Patches📚Books🎬Mission Logs
🔴 HIGHthreat

Sandworm's Ukraine Campaign: Custom Webshell + LotL Persistence

Category:Threat Intelligence / APT
Russia-linked Sandworm (UAC-0082, UAC-0145, APT44, Seashell Blizzard) conducted a two-month campaign against a major Ukrainian business services company and a week-long attack on a state entity starting late June 2025. What's interesting: attackers primarily used Living-off-the-Land techniques and dual-use tools rather than large-scale malware. They deployed Localolive, a custom webshell previously linked to Sandworm in the BadPilot campaign. Initial access via webshells on publicly accessible servers (likely unpatched vulnerabilities), followed by reconnaissance commands (whoami, systeminfo, tasklist, net group). Attackers disabled Windows Defender for Downloads folder, created scheduled tasks for periodic memory dumps to extract credentials, then targeted two IT personnel workstations specifically for deeper network access.

🎯CORTEX Protocol Intelligence Assessment

Sandworm's tradecraft shows deep expertise with native Windows tools—proving how skilled operators can escalate and exfiltrate while leaving minimal traces. What's particularly nasty: they used legitimate MikroTik router management tool (winbox64.exe), which CERT-UA previously reported in April 2024 Sandworm operations disrupting ICT systems across 20 Ukrainian energy, water, and heat supply organizations. The campaign included deployment of suspicious binaries (service.exe, cloud.exe) whose names resemble webshells used elsewhere in the intrusion.

Strategic Intelligence Guidance

  • Campaign timeline: late June 2025, two-month duration (business services); one week (state entity)
  • Initial access: webshells on public-facing servers, including Localolive custom shell
  • Reconnaissance: whoami, systeminfo, tasklist, net group commands
  • Persistence mechanisms: disabled Windows Defender scans, scheduled memory dumps via rdrleakdiag
  • Dual-use tools: winbox64.exe (MikroTik router management), previously seen in CERT-UA April 2024 report

Threats

SandwormAPT44UAC-0082Seashell BlizzardLocalolive

Targets

UkraineEnergy SectorGovernment

Tags

#sandworm#apt44#ukraine#webshell#living-off-the-land
Intelligence Source: Detect russian Attacks Targeting Ukraine: Hackers Apply the Custom Sandworm-Linked Webshell and Living-off-the-Land Tactics for Persistence | Nov 1, 2025
More stories in APT