Russian Cyberattacks on Ukraine Employing AI-Generated Malware and Phishing
Russian cyber operations targeting Ukraine have escalated in sophistication, with Ukrainian authorities reporting a significant increase in the use of artificial intelligence (AI) by Russian threat actors in the first half of 2025. According to Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) and the Computer Emergency Response Team of Ukraine (CERT-UA), over 3,000 cyber incidents were recorded during this period, marking a 20% rise compared to the same timeframe in the previous year. The adoption of AI has enabled Russian hackers to automate the creation of phishing messages and, more notably, to generate malicious code, including PowerShell-based malware. One prominent example is the WRECKSTEEL malware, attributed to the cyberespionage group UAC-0219, which was reportedly developed using AI tools and deployed against state administration bodies and critical infrastructure. Other Russian groups, such as UAC-0218, UAC-0226, and UAC-0227, have orchestrated phishing campaigns targeting Ukraine’s defense forces, local authorities, and organizations involved in defense innovation, using AI to craft convincing lures and deliver various stealer malware families like HOMESTEEL, GIFTEDCROOK, Amatera Stealer, and Strela Stealer. CERT-UA’s analysis indicates that as traditional phishing becomes less effective due to improved user awareness and defensive measures, Russian actors are shifting toward more transient, high-velocity attacks, described as the “Steal & Go” model, where data is exfiltrated quickly before infrastructure is taken down. The increased use of AI is also a response to Ukraine’s enhanced detection capabilities and international cooperation with cloud providers, which have forced attackers to reduce dwell time and adapt their tactics. Despite the rise in overall incidents, the number of high-impact attacks has declined, suggesting that Ukraine’s cyber defenses are becoming more effective at mitigating the most damaging threats. The Ukrainian government warns that the integration of AI into Russian cyber operations represents a new level of threat, with attackers likely to continue innovating in both malware development and social engineering. The ongoing cyber conflict underscores the importance of continuous improvement in defensive technologies and international collaboration to counter rapidly evolving adversarial tactics. Ukrainian authorities emphasize vigilance, as the use of AI in cyberattacks is expected to expand further, potentially enabling more sophisticated and harder-to-detect campaigns. The focus on targeting military, governmental, and critical infrastructure entities highlights the strategic intent behind these operations, aiming to disrupt Ukraine’s defense and administrative capabilities. The shift in Russian tactics also reflects broader trends in cyber warfare, where automation and AI are increasingly leveraged to overcome improved security postures. Ukrainian agencies continue to monitor and analyze these developments, sharing intelligence with partners to bolster collective resilience. The reports from SSSCIP and CERT-UA serve as a warning to other nations about the accelerating integration of AI into state-sponsored cyber operations. The Ukrainian experience demonstrates both the challenges and the necessity of adapting to adversaries who rapidly incorporate emerging technologies into their attack methodologies. As the conflict persists, the cyber domain remains a critical front, with AI-driven threats poised to play an ever-larger role in shaping the security landscape.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CERT-UA reports H2 2025 decline in incidents and shift to re-compromise tactics
In the second half of 2025, CERT-UA said cyber incidents targeting Ukraine declined for the first time since Russia's full-scale invasion began, attributing the drop to stronger Ukrainian defenses. The same assessment said Russian actors increasingly tried to re-compromise previously breached environments for follow-on espionage and relied more on social engineering for initial access, including activity linked to APT28 and Void Blizzard.
SSSCIP/CERT-UA publishes assessment on AI-driven Russian cyber tactics
In early October 2025, Ukrainian cyber authorities publicly released an assessment summarizing H1 2025 activity, warning that Russian hackers are increasingly using AI, zero-click exploitation, and legitimate cloud services in attacks against Ukraine. The report also said some campaigns extended beyond Ukraine to target European Union countries.
Ukraine says Sandworm cyber operations remain tied to kinetic strikes
Ukrainian authorities reported in H1 2025 that some Russian cyber operations, particularly those linked to Sandworm, continued to be synchronized with missile and drone attacks. The assessment highlighted the ongoing hybrid nature of Russian operations combining cyber and military activity.
APT28 conducts zero-click webmail attacks via Roundcube and Zimbra XSS
In the first half of 2025, APT28 was observed exploiting XSS flaws in Roundcube and Zimbra to carry out zero-click attacks that stole credentials and exfiltrated email data. Ukrainian reporting also noted renewed activity against Roundcube, including exploitation tied to CVE-2023-43770.
Multiple UAC clusters run phishing campaigns with stealers and backdoors
In H1 2025, Ukrainian defenders documented campaigns by clusters including UAC-0218, UAC-0226, and UAC-0227 delivering malware such as HOMESTEEL, GIFTEDCROOK, Amatera Stealer, Strela Stealer, and the Kalambur/SUMBUR backdoor. These operations were part of a broader Russian shift toward credential theft and rapid data exfiltration.
UAC-0219 deploys WRECKSTEEL with suspected AI-generated code
During H1 2025, UAC-0219 targeted Ukrainian state administration bodies and critical infrastructure with the PowerShell data-stealing malware WRECKSTEEL. Ukrainian officials said some observed scripts appeared to have been generated or assisted by AI.
Russian actors expand AI use in cyber operations against Ukraine
In the first half of 2025, Ukrainian authorities observed Russia-linked threat actors increasingly using AI to craft phishing lures, automate operations, and in some cases assist malware development. The trend reflected a shift toward shorter, more adaptive campaigns as older tactics became less effective against Ukrainian defenses.
Russian cyber incidents against Ukraine rise in H1 2025
Ukraine’s State Service for Special Communications and Information Protection recorded 3,018 cyber incidents in the first half of 2025, up from 2,575 in the second half of 2024. The increase was accompanied by heavier targeting of local authorities and military entities and reduced focus on some government and energy targets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Evolving Russian cyberattacks against Ukraine detailed | brief | SC Media
scworld.com
Open sourceUkraine sees surge in AI-Powered cyberattacks by Russia-linked Threat Actors
securityaffairs.com
Open sourceFrom Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine
thehackernews.com
Open sourceRussian hackers turn to AI as old tactics fail, Ukrainian CERT says
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


