Ukraine Under Cyber Siege: CERT-UA Uncovers State-Targeted Malware Attacks
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a high-alert warning after identifying a series of sophisticated cyberattacks targeting government entities and critical infrastructure across the country. At least three major attacks have been recorded, with threat actors aiming to exfiltrate confidential data using a malware strain dubbed WRECKSTEEL.
⚠️ WRECKSTEEL Malware: How It Works
The campaign leverages compromised email accounts to launch phishing attacks. These emails trick recipients by embedding links—often hidden inside PDF files—that direct users to legitimate file-hosting services like DropMeFiles and Google Drive. The bait? Fake notifications claiming a Ukrainian government agency is planning salary cuts, urging users to check a document listing affected employees.
Clicking the link initiates the download of a Visual Basic Script (VBS) loader, which then executes a PowerShell script. This script is designed to:
-
Harvest files matching specific file extensions
-
Capture screenshots of infected systems
CERT-UA has officially labeled the malicious components as part of the WRECKSTEEL malware family.
๐ค Who’s Behind the Attacks?
The ongoing campaign is attributed to a threat actor known as UAC-0219, active since at least Fall 2024. Earlier variants of the malware combined:
-
Executable (.EXE) binaries
-
VBS-based stealers
-
A legitimate image-editing software, IrfanView, used to camouflage malicious activity
While no specific nation-state has been officially linked to these attacks, they appear to align with broader geopolitical cyber threats in the region.
๐ต️ Parallel Threat Campaigns: Espionage and Credential Theft
This revelation follows another alarming discovery—phishing campaigns aimed at defense and aerospace sectors linked to Ukraine. According to DomainTools Investigations (DTI), attackers used Mailu, an open-source mail server, to craft spoofed login pages designed to steal webmail credentials from organizations supporting Ukraine’s military efforts.
๐ Russia-Linked Threat Activity on the Rise
Other threat clusters, including UAC-0050 and UAC-0006, believed to be aligned with Russian interests, have been active throughout 2025. Their attacks span multiple industries such as:
-
Government institutions
-
Defense and energy sectors
-
NGOs and critical service providers
These groups have been distributing well-known malware families, including:
-
sLoad
-
NetSupport RAT
-
SmokeLoader
๐งช Additional Espionage Campaigns: PhantomPyramid & Operation HollowQuill
-
Kaspersky has reported a Russia-focused campaign involving a new malware strain called PhantomPyramid, attributed to the actor "Head Mare." This malware enables remote command execution and payload delivery via a C2 (Command-and-Control) server.
-
Another active group, Unicorn, is deploying VBS-based trojans targeting Russia's energy and industrial sectors, stealing sensitive files and images.
Meanwhile, SEQRITE Labs uncovered Operation HollowQuill, a campaign using weaponized PDFs disguised as academic and government documents. The attack chain includes:
-
A malicious RAR archive
-
A .NET dropper
-
Cobalt Strike payload, launched through a decoy OneDrive app
๐ Key Takeaways and Cybersecurity Recommendations
With escalating threats across Eastern Europe, it's critical for organizations—especially in government, defense, and energy sectors—to:
-
Strengthen email security protocols
-
Implement Zero Trust Architecture
-
Train staff to detect phishing and social engineering
-
Monitor endpoints for script-based malware
Stay ahead of the curve with real-time cybersecurity intelligence. For more updates on cyber threats like WRECKSTEEL and ongoing digital warfare, follow our blog and subscribe for threat alerts.