The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data.
The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF attachments.
The digital missives sought to induce a false sense of urgency by claiming that a Ukrainian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees.
Visiting these links leads to the download of a Visual Basic Script (VBS) loader that’s designed to fetch and execute a PowerShell script capable of harvesting files matching a specific set of extensions and capturing screenshots.
The activity, attributed to a threat cluster tracked as UAC-0219, is said to have been ongoing since at least fall 2024, with early iterations using a combination of EXE binaries, a VBS stealer, and a legitimate image editor software called IrfanView to realize its goals.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The attacks have not been attributed to any country.
The development comes as Kaspersky warned that the threat actor known as Head Mare has targeted several Russian entities with a malware known as PhantomPyramid that’s capable of processing instructions issued by the operator over a command-and-control (C2) server, as well as downloading and running additional payloads like MeshAgent.
Russian energy companies, industrial enterprises, and suppliers and developers of electronic components organizations have also been at the receiving end of phishing attacks mounted by a threat actor codenamed Unicorn that dropped a VBS trojan designed to siphon files and images from infected hosts.
Late last month, SEQRITE Labs revealed that academic, governmental, aerospace, and defense-related networks in Russia are being targeted by weaponized decoy documents, likely sent via phishing emails, as part of a campaign dubbed Operation HollowQuill. The attacks are believed to have started around December 2024.
The activity makes use of social engineering ploys, disguising malware-laced PDFs as research invitations and government communiqués to entice unsuspecting users into triggering the attack chain.
“The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops a Golang-based shellcode loader along with the legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload,” security researcher Subhajeet Singha said.
