{"id":3452,"date":"2025-11-07T14:12:19","date_gmt":"2025-11-07T14:12:19","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/07\/russian-hacking-group-sandworm-deploys-new-wiper-malware-in-ukraine\/"},"modified":"2025-11-07T14:12:19","modified_gmt":"2025-11-07T14:12:19","slug":"russian-hacking-group-sandworm-deploys-new-wiper-malware-in-ukraine","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/11\/07\/russian-hacking-group-sandworm-deploys-new-wiper-malware-in-ukraine\/","title":{"rendered":"Russian Hacking Group Sandworm Deploys New Wiper Malware in Ukraine"},"content":{"rendered":"
\n
\n

The Russian-backed hacking group Sandworm deployed data wiper malware in Ukraine in the second and third quarter of 2025, according to ESET.<\/p>\n

In its APT Activity Report Q2 2025\u2013Q3 2025<\/em>, the Slovakia-based cybersecurity company provided an overview of the activity of advanced persistent threat (APT) groups across the world from April to September 2025.<\/p>\n

The report, published on November 6, revealed that Sandworm deployed data wipers, including Zerolot and Sting against organizations in Ukraine.<\/p>\n

Targets ranged from governmental entities, companies in the energy and logistics industries and the grain sector.<\/p>\n

Sandworm, also known as APT44, Telebots, Voodoo Bear, Iridium, Seashell Blizzard and Iron Viking, has been associated to Russia’s military intelligence service\u2019s (GRU) unit MUN\u00a074455 by several cybersecurity companies and government agencies.<\/p>\n

ESET assessed that the group\u2019s likely objective for deploying new wipers was to weaken the Ukrainian economy.<\/p>\n

Russian Groups Use Spear Phishing and Backdoor For Cyber Espionage <\/strong><\/h2>\n

The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities.<\/p>\n

While Sandworm\u2019s objective seemed to be to disrupt Ukrainian organizations, other Russian nation-state groups pursued cyber espionage goals through a combination of spear phishing campaigns and backdoor implants.<\/p>\n

Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period.<\/p>\n

\u201cThis surge in activity coincided with a rare instance of cooperation between Russia-aligned APT groups, as Gamaredon selectively deployed one of Turla\u2019s backdoors. Gamaredon\u2019s toolset, possibly also spurred by the collaboration, continued to evolve, for example, through the incorporation of new file stealers or tunneling services,\u201d the ESET researchers wrote.<\/p>\n

Notably, ESET reported that another Russia-aligned threat actor, InedibleOchotense, conducted a spear phishing campaign impersonating the cybersecurity company.<\/p>\n

\u201cThis campaign involved emails and Signal messages delivering a trojanized ESET installer that leads to the download of a legitimate ESET product along with the Kalambur backdoor,\u201d the report read.<\/p>\n

Some Russian groups expanded their targeting beyond Ukraine.<\/p>\n

For instance, RomCom, another of the most active Russian APT groups, exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver a variety of backdoors, with a focus on the financial, manufacturing, defense and logistics sectors in the EU and Canada.<\/p>\n

Overview of Global APT Activity<\/strong><\/h2>\n

The ESET report also highlighted \u00a0China-aligned APTs continued focus on geopolitical espionage, targeting Latin America (FamousSparrow), Southeast Asia, the Us US and Europe (Mustang Panda), Taiwan\u2019s healthcare (Flax Typhoon) and Central Asia\u2019s energy sector (Speccom).<\/p>\n

Meanwhile, Iran-aligned hacking group MuddyWater escalated its internal spear phishing tactics \u2013 sending malicious targeted emails from compromised inboxes within the target organization \u2013 while BladedFeline updated infrastructure and GalaxyGato deployed an upgraded backdoor and DLL-hijacking credential theft.<\/p>\n

Finally, some North Korea-aligned APTs expanded their cryptocurrency heists and espionage tactics to Uzbekistan, while several groups from the same country \u2013 DeceptiveDevelopment, Lazarus, Kimsuky and Konni \u2013 were observed targeting South Korean diplomats and academics for revenue and geopolitical gains.<\/p>\n<\/p><\/div>\n

\"APT
APT attack sources for Q2 and Q3 2025. Source: ESET<\/figcaption><\/figure>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

The Russian-backed hacking group Sandworm deployed data wiper malware in Ukraine in the second and third quarter of 2025, according to ESET. In its APT Activity Report Q2 2025\u2013Q3 2025, the Slovakia-based cybersecurity company provided an overview of the activity of advanced persistent threat (APT) groups across the world from April to September 2025. The<\/p>\n","protected":false},"author":2,"featured_media":3453,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3452-caf6bb78-c7dd-4b32-af63-63d3d7fefd35-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3452"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3452\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3453"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3452"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}