In the first half of 2025, Russian-linked hackers significantly increased their cyber activities against Ukraine, using artificial intelligence for both phishing and malware creation. This finding was confirmed by Ukraine’s State Service for Special Communications and Information Protection (SSSCIP).

Between January and June 2025, authorities recorded 3,018 cyber incidents, compared with 2,575 in the latter half of 2024. Some sectors witnessed sharper rises, particularly local and military bodies, while attacks on central government and the energy sector showed a slight decline.

A key incident highlighted by SSSCIP involved a malware named WRECKSTEEL, attributed to the hacker cluster UAC-0219. This malware displayed clear signs of being developed with AI tools, especially PowerShell-based scripts that appeared to be generated or refined through advanced generative methods. The agency cautioned that attackers would continue advancing these techniques, setting a new level of sophistication in digital warfare.

Phishing Campaigns Evolve, Malware Grows Smarter

In addition to WRECKSTEEL, several large-scale phishing campaigns were detected, each with distinct targets and delivery mechanisms.

UAC-0218 focused on Ukrainian defense forces, sending harmful RAR attachments designed to distribute a stealer known as HOMESTEEL.

UAC-0226 targeted innovation agencies, local governments, military units, and law enforcement organizations. The malicious payload in these attacks was GIFTEDCROOK, a powerful data-stealing tool.

UAC-0227 concentrated on local councils, critical infrastructure, and social support centers. These attacks used deceptive click-bait messages or SVG attachments that deployed stealers like Amatera Stealer and Strela Stealer.

UAC-0125, associated with the Sandworm group, posed as a legitimate antivirus provider, ESET, in phishing emails. The emails directed victims to a C# backdoor called Kalambur, also known as SUMBUR.

These operations reflect two major patterns: hackers continue to refine traditional phishing techniques while experimenting with AI-assisted malware creation.

Zero-Click Exploits and Webmail Intrusions

Another concerning development was the use of zero-click vulnerabilities in webmail systems such as Roundcube and Zimbra. Hackers exploited flaws like CVE-2023-43770 and CVE-2025-27915, injecting malicious code through webmail APIs. This granted them access to user credentials, contact information, and email forwarding rules without any user interaction.

In certain instances, attackers exploited hidden HTML fields configured with autocomplete settings to capture login data stored in browsers. These intrusions demonstrated a move toward attacks that require no user engagement, making them harder to detect and prevent.

Hybrid Warfare: Cyber Meets Kinetic Strikes

The SSSCIP’s assessment also emphasized that Russia continues to coordinate cyber operations with traditional military actions. The Sandworm (UAC-0002) group remains highly active, targeting the energy sector, defense units, internet service providers, and research institutions.

Hackers frequently used legitimate platforms such as Dropbox, Google Drive, OneDrive, Telegram, and Cloudflare Workers to host malware or phishing infrastructure. These services also served as channels for data exfiltration. By operating through trusted platforms, attackers reduced their visibility and made tracking significantly more complex.

Implications for the Future

The latest data marks a turning point in Ukraine’s cyber defense landscape. Attackers are shifting from brute-force methods to more adaptive, AI-enabled strategies. They are embedding AI into phishing and malware creation, exploiting zero-click vulnerabilities to bypass human oversight, and concealing their activities within legitimate digital ecosystems.

Ukraine faces adversaries that operate with greater speed, intelligence, and unpredictability. To respond effectively, defenders must enhance detection capabilities, strengthen email security, monitor code generated with AI tools, and minimize the exposure of trusted platforms to exploitation.

The nature of warfare is changing. The frontlines have extended from physical battlefields to digital spaces, where AI, automation, and deception play decisive roles. Ukraine and its allies must evolve just as rapidly to secure their digital borders and stay ahead in this new era of conflict.