Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
state-sponsored-espionageai-enabled-threat-activityphishing-campaign-intelligencecredential-stealer-activity

Russian State-Backed Hackers Employ AI-Powered Cyberattacks Against Ukraine

Updated 2d agoFirst seen Oct 10, 20253 sources

Russian state-backed threat actors have increasingly leveraged artificial intelligence to enhance the sophistication and effectiveness of their cyberattacks targeting Ukraine. According to Ukraine's Computer Emergency Response Team (CERT-UA), these hackers have utilized AI not only to craft more convincing phishing messages but also to develop advanced malware, such as the Wrecksteel backdoor associated with the UAC-0219 cyberespionage operation. AI-based PowerShell scripts have been observed as part of these campaigns, enabling more dynamic and adaptive attack techniques. The attackers have shifted their tactics to favor shorter, high-impact attacks using information-stealing tools and the exploitation of zero-click vulnerabilities, rather than focusing on maintaining long-term persistence within networks. These cyber intrusions are often synchronized with physical missile and drone strikes, amplifying the overall disruption to Ukrainian infrastructure and defenses. CERT-UA has noted a significant increase in both the frequency and complexity of these cyberattacks as the conflict continues. In July, CERT-UA discovered Russian malware that leveraged large language models (LLMs) to automate various stages of the cyberattack process, including system reconnaissance and data theft. This use of AI allowed attackers to generate commands in real-time, making their operations more efficient and harder to detect. The integration of AI into cyber operations has enabled Russian hackers to adapt quickly to Ukraine's increasingly robust cybersecurity measures. The attackers' use of AI extends to automating the entire attack chain, from initial reconnaissance to credential harvesting and even extortion communications. These developments represent a significant escalation in the cyber dimension of the conflict, as AI-driven attacks can operate at computer speeds and scale, outpacing traditional defensive measures. The synchronization of cyber and kinetic attacks demonstrates a coordinated strategy aimed at maximizing disruption and psychological impact. Ukrainian officials have emphasized that despite the increased volume and sophistication of attacks, the primary objectives of the Russian campaign have not been achieved. The ongoing use of AI in cyber operations highlights the evolving nature of modern warfare, where digital and physical domains are increasingly intertwined. The threat posed by AI-powered cyberattacks is not limited to Ukraine, as the techniques and tools developed in this conflict may be adopted by other state and non-state actors in future operations. The rapid advancement of AI capabilities in the hands of threat actors underscores the urgent need for equally advanced AI-assisted cyberdefense strategies. As the conflict persists, the cyber battlefield is expected to remain highly dynamic, with both sides racing to outpace each other's technological innovations.

Share:
Russian State-Backed Hackers Employ AI-Powered Cyberattacks Against Ukraine
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

3 events from the most recent confirmed update back to the earliest known activity.

3 EVENTS
Oct 9, 20259mo ago

CERT-UA describes shift to shorter, theft-focused intrusions

CERT-UA assessed that Russian operators had shifted away from long-term persistence toward shorter intrusions focused on data theft, information-stealing tools, and exploitation of zero-click vulnerabilities. The report also said these cyber operations were being coordinated with missile and drone strikes to maximize disruption.

CERT-UA links AI-assisted malware to UAC-0219's Wrecksteel activity

CERT-UA said it observed AI-based PowerShell scripts in the Wrecksteel backdoor associated with the UAC-0219 cyberespionage operation. The disclosure provided technical detail on how AI was being incorporated into malware used in the campaign.

CERT-UA reports Russian hackers using AI in attacks on Ukraine

Ukraine’s Computer Emergency Response Team (CERT-UA) reported that Russian state-backed threat actors had increased their use of AI-enabled cyberattacks against Ukrainian targets. The agency said AI was being used to improve phishing lures and assist malware development as attackers adapted to Ukraine’s strengthened defenses.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

8 LINKEDOpen in app
Threat actors
1 linked
Malware
1 linked
Organizations
6 linked
Check Point Software TechnologiesAnthropicRecorded Futurecert_ua_nationalThe RecordGoogle
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.