Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
ai-enabled-threat-activitystate-sponsored-espionagephishing-campaign-intelligencegovernment-diplomatic-threat

Russian Cyberattacks on Ukraine Employing AI-Generated Malware and Phishing

Updated 2d agoFirst seen Oct 9, 20254 sources

Russian cyber operations targeting Ukraine have escalated in sophistication, with Ukrainian authorities reporting a significant increase in the use of artificial intelligence (AI) by Russian threat actors in the first half of 2025. According to Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) and the Computer Emergency Response Team of Ukraine (CERT-UA), over 3,000 cyber incidents were recorded during this period, marking a 20% rise compared to the same timeframe in the previous year. The adoption of AI has enabled Russian hackers to automate the creation of phishing messages and, more notably, to generate malicious code, including PowerShell-based malware. One prominent example is the WRECKSTEEL malware, attributed to the cyberespionage group UAC-0219, which was reportedly developed using AI tools and deployed against state administration bodies and critical infrastructure. Other Russian groups, such as UAC-0218, UAC-0226, and UAC-0227, have orchestrated phishing campaigns targeting Ukraine’s defense forces, local authorities, and organizations involved in defense innovation, using AI to craft convincing lures and deliver various stealer malware families like HOMESTEEL, GIFTEDCROOK, Amatera Stealer, and Strela Stealer. CERT-UA’s analysis indicates that as traditional phishing becomes less effective due to improved user awareness and defensive measures, Russian actors are shifting toward more transient, high-velocity attacks, described as the “Steal & Go” model, where data is exfiltrated quickly before infrastructure is taken down. The increased use of AI is also a response to Ukraine’s enhanced detection capabilities and international cooperation with cloud providers, which have forced attackers to reduce dwell time and adapt their tactics. Despite the rise in overall incidents, the number of high-impact attacks has declined, suggesting that Ukraine’s cyber defenses are becoming more effective at mitigating the most damaging threats. The Ukrainian government warns that the integration of AI into Russian cyber operations represents a new level of threat, with attackers likely to continue innovating in both malware development and social engineering. The ongoing cyber conflict underscores the importance of continuous improvement in defensive technologies and international collaboration to counter rapidly evolving adversarial tactics. Ukrainian authorities emphasize vigilance, as the use of AI in cyberattacks is expected to expand further, potentially enabling more sophisticated and harder-to-detect campaigns. The focus on targeting military, governmental, and critical infrastructure entities highlights the strategic intent behind these operations, aiming to disrupt Ukraine’s defense and administrative capabilities. The shift in Russian tactics also reflects broader trends in cyber warfare, where automation and AI are increasingly leveraged to overcome improved security postures. Ukrainian agencies continue to monitor and analyze these developments, sharing intelligence with partners to bolster collective resilience. The reports from SSSCIP and CERT-UA serve as a warning to other nations about the accelerating integration of AI into state-sponsored cyber operations. The Ukrainian experience demonstrates both the challenges and the necessity of adapting to adversaries who rapidly incorporate emerging technologies into their attack methodologies. As the conflict persists, the cyber domain remains a critical front, with AI-driven threats poised to play an ever-larger role in shaping the security landscape.

Share:
Russian Cyberattacks on Ukraine Employing AI-Generated Malware and Phishing
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

8 events from the most recent confirmed update back to the earliest known activity.

8 EVENTS
Dec 31, 20256mo ago

CERT-UA reports H2 2025 decline in incidents and shift to re-compromise tactics

In the second half of 2025, CERT-UA said cyber incidents targeting Ukraine declined for the first time since Russia's full-scale invasion began, attributing the drop to stronger Ukrainian defenses. The same assessment said Russian actors increasingly tried to re-compromise previously breached environments for follow-on espionage and relied more on social engineering for initial access, including activity linked to APT28 and Void Blizzard.

Evolving Russian cyberattacks against Ukraine detailed | brief | SC Media
Oct 8, 20259mo ago

SSSCIP/CERT-UA publishes assessment on AI-driven Russian cyber tactics

In early October 2025, Ukrainian cyber authorities publicly released an assessment summarizing H1 2025 activity, warning that Russian hackers are increasingly using AI, zero-click exploitation, and legitimate cloud services in attacks against Ukraine. The report also said some campaigns extended beyond Ukraine to target European Union countries.

Jun 30, 20251y ago

Ukraine says Sandworm cyber operations remain tied to kinetic strikes

Ukrainian authorities reported in H1 2025 that some Russian cyber operations, particularly those linked to Sandworm, continued to be synchronized with missile and drone attacks. The assessment highlighted the ongoing hybrid nature of Russian operations combining cyber and military activity.

APT28 conducts zero-click webmail attacks via Roundcube and Zimbra XSS

In the first half of 2025, APT28 was observed exploiting XSS flaws in Roundcube and Zimbra to carry out zero-click attacks that stole credentials and exfiltrated email data. Ukrainian reporting also noted renewed activity against Roundcube, including exploitation tied to CVE-2023-43770.

Multiple UAC clusters run phishing campaigns with stealers and backdoors

In H1 2025, Ukrainian defenders documented campaigns by clusters including UAC-0218, UAC-0226, and UAC-0227 delivering malware such as HOMESTEEL, GIFTEDCROOK, Amatera Stealer, Strela Stealer, and the Kalambur/SUMBUR backdoor. These operations were part of a broader Russian shift toward credential theft and rapid data exfiltration.

UAC-0219 deploys WRECKSTEEL with suspected AI-generated code

During H1 2025, UAC-0219 targeted Ukrainian state administration bodies and critical infrastructure with the PowerShell data-stealing malware WRECKSTEEL. Ukrainian officials said some observed scripts appeared to have been generated or assisted by AI.

Russian actors expand AI use in cyber operations against Ukraine

In the first half of 2025, Ukrainian authorities observed Russia-linked threat actors increasingly using AI to craft phishing lures, automate operations, and in some cases assist malware development. The trend reflected a shift toward shorter, more adaptive campaigns as older tactics became less effective against Ukrainian defenses.

Russian cyber incidents against Ukraine rise in H1 2025

Ukraine’s State Service for Special Communications and Information Protection recorded 3,018 cyber incidents in the first half of 2025, up from 2,575 in the second half of 2024. The increase was accompanied by heavier targeting of local authorities and military entities and reduced focus on some government and energy targets.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

40 LINKEDOpen in app
Affected products
7 linked
Roundcube WebmailPowershellTelegramBitbucketOnedriveDropboxGoogle Drive
Organizations
17 linked
UAC-0218UAC-0226UAC-0227UAC-0219RussiaZimbraRoundcubeAPT28Ukr.netRecorded FutureThe Kyiv PostState Service of Special Communications and Information Protection of UkraineTelegramcert_ua_nationalThe Kyiv IndependentForbes UkraineSifted
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.