Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems.
From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through social engineering, these actors have built a dangerous and versatile toolkit for gaining initial access.
The attacks are not random. They are well-planned, persistent campaigns aimed at government bodies, defense organizations, energy infrastructure, and other critical sectors, particularly in Ukraine and across Europe.
Threat actors under designations such as UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) have each played an active role throughout the year.
Analysts from the National Security and Defense Council of Ukraine said in a report shared with Cyber Security News (CSN) that they identified that in 2025, the volume and complexity of these attacks grew considerably, with CERT-UA recording approximately 5,927 cyber incidents, a 37.4% rise compared to 2024.
The report confirms that RDP exploitation, VPN vulnerabilities, and phishing through platforms like Signal, WhatsApp, and Telegram are among the most common methods used to gain a foothold inside targeted networks.
The consequences of these breaches extend beyond data theft. Several intrusions led to the deployment of destructive wiper malware, ransomware, and long-running espionage tools designed to silently collect and exfiltrate sensitive information.
The scale of this activity signals that these groups operate not just as cybercriminals but as instruments of a broader geopolitical strategy.
In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.
RDP, VPN, and Supply Chain as Entry Points
Remote Desktop Protocol remains one of the most abused entry vectors in 2025. Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
VPN appliances were targeted through vulnerabilities including CVE-2025-20333 and CVE-2025-20362, giving attackers a direct tunnel into internal networks.
Supply chain intrusions added another serious layer of risk. Actors targeted software update mechanisms, third-party tools, and IT service providers to plant backdoors where scrutiny is typically lower. Once inside, groups deployed malware families like Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer to maintain persistent access.
Vulnerabilities in widely used platforms were also exploited, including flaws in Roundcube (CVE-2024-42009, CVE-2025-49113), Fortinet appliances (CVE-2024-55591, CVE-2024-21762), and archiving tools like WinRAR and 7-Zip.
Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged, proving legacy vulnerabilities still carry very real consequences.
Payloads arrived through file types including SVG, PNG, LNK, JS, and HTA files, often hosted on legitimate services like Dropbox, Google Drive, and Cloudflare Tunnels to bypass network defenses.
Living off the Land techniques using built-in tools such as PowerShell, certutil, mshta.exe, and rundll32 helped attackers blend into normal system activity and evade detection.
Social Engineering and Phishing Campaigns
Social engineering remained one of the most reliable methods Russian threat groups used to break in during 2025.
Phishing lures were sent through email platforms including Microsoft O365, Roundcube, and Zimbra, as well as messaging apps like Signal, WhatsApp, and Telegram.
Techniques such as ClickFix, fake CAPTCHA prompts, and PowerShell-based execution tricks helped attackers deliver malware without triggering immediate alerts.
OAuth phishing, Device Code phishing targeting Microsoft Teams, and App-Specific Password phishing against Google accounts were observed targeting over a thousand individuals.
QR-code session hijacking through a method called GhostPairing was also deployed, and fake Android APK files spread outside Google Play to infect devices with tools including CamelSpy.
To counter these threats, organizations are advised to enforce multi-factor authentication, adopt Zero Trust architecture, and use Protective DNS to block malicious domains.
Patch management across both new and legacy vulnerabilities is essential, and staff should receive regular training to spot social engineering attempts.
Security teams should restrict RDP access and monitor for unusual use of built-in system tools that attackers frequently repurpose.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionCVECVE-2025-20333Cisco ASA/AnyConnect VPN vulnerability used for initial accessCVECVE-2025-20362Cisco ASA/AnyConnect VPN vulnerability used for initial accessCVECVE-2024-42009Roundcube webmail vulnerability exploited by Russian APT groupsCVECVE-2024-37383Roundcube webmail vulnerability exploited in campaignsCVECVE-2025-49113Roundcube webmail vulnerability used in 2025 campaignsCVECVE-2025-48700Roundcube webmail vulnerability exploited in 2025CVECVE-2024-55591Fortinet appliance vulnerability exploited for initial accessCVECVE-2024-21762Fortinet appliance vulnerability exploited for initial accessCVECVE-2025-24472Fortinet appliance vulnerability exploited for initial accessCVECVE-2017-11882Legacy Microsoft Office flaw still actively exploitedCVECVE-2017-0199Legacy Microsoft Office flaw still actively exploitedCVECVE-2025-6218WinRAR vulnerability used by Gamaredon/Sandworm/RomComCVECVE-2025-8088WinRAR vulnerability used by UAC-0180 (RomCom)CVECVE-2025-04117-Zip vulnerability exploited by UAC-0006CVECVE-2024-38213Exploited by Sandworm (UAC-0212)CVECVE-2025-43300Apple iOS/macOS vulnerabilityCVECVE-2025-49844Redis vulnerability (1010 instances targeted)CVECVE-2025-49090Matrix platform vulnerabilityCVECVE-2025-54315Matrix platform vulnerabilityMalwareRemcos RATRemote access trojan used for persistent accessMalwareDarkCrystal RATRemote access trojan deployed post-compromiseMalwareXWormMalware used in multiple Russian-linked campaignsMalwareLumma StealerCredential and data stealer deployed by multiple groupsMalwareLameHugMalware used by UAC-0001 (APT28)MalwareHomeSteelData exfiltration tool targeting Ukrainian organizationsMalwareWreckSteelDestructive/exfiltration malware in 2025 campaignsMalwareFileMessMalware used in Ukrainian-targeted campaignsMalwareGiftedCrookStealer targeting VPN credentials and Telegram dataMalwareCamelSpyAndroid spyware distributed via fake APKsMalwareZEROLOTWiper malware linked to SandwormMalwarePathWiperWiper malware targeting Ukrainian organizationsMalwareStingMalware deployed by Sandworm in 2025MalwareSnake KeyloggerKeylogger deployed in phishing-based campaignsMalwarePicassoLoaderLoader used by UAC-0057 (Ghostwriter)MalwareSmokeLoaderLoader malware used in multiple campaignsMalwareNetSupport RATLegitimate RMM tool abused as malwareMalwarePterodoBackdoor associated with UAC-0010 (Gamaredon)MalwareAgentTeslaCredential-stealing malware used in phishing campaignsMalwareFormBookInfostealer deployed via phishingMalwareRhadamanthysStealer malware distributed in 2025 campaignsMalwareRedLineCredential stealer observed in 2025 campaignsMalwareLokiBotInfostealer deployed via legacy Office exploit chainsMalwareX2anylockRansomware variant pushed via RDP exploitationMalwareWarlockRansomware variant used by UAC-0238TechniqueGhostPairingQR-code based account hijacking techniqueTechniqueClickFixSocial engineering trick used to execute malicious scriptsTechniqueDevice Code PhishingOAuth/device code abuse targeting Microsoft 365ToolCloudflare TunnelsAbused for C2 communication and payload hostingToolTelegramUsed as C2 channel by UAC-0010 and othersToolTelegraphUsed for IP-based C2 routing by UAC-0010
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access appeared first on Cyber Security News.



