Russian-linked hackers have carried out cyberattacks on Ukrainian organizations using stealthy living-off-the-land (LotL) techniques, according to a new report by Symantec and Carbon Black.

The hackers targeted a large business services firm for two months and a local government agency for one week, aiming to steal sensitive data and maintain long-term access to their systems.

The report mentions the use of the LocalOlive web shell, previously linked to Russia’s Sandworm group, though no direct connection has been proven. Once inside, the hackers performed reconnaissance, memory dumps, RDP modifications, and deployed PowerShell backdoors.

Symantec said the attackers showed deep knowledge of Windows internals and demonstrated how skilled actors can steal credentials and data while leaving minimal traces.

The disclosure comes amid continued Russian cyber operations against Ukraine, including the Gamaredon group’s exploitation of a WinRAR vulnerability (CVE-2025-8088) to deliver hidden malware.

Analysts note that the Russian cyber ecosystem is evolving, with closer ties between cybercriminals and state intelligence, as the Kremlin balances control, recruitment, and plausible deniability.