The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of cyberattacks aimed at state administration bodies and critical infrastructure within the country. These attacks, totaling at least three incidents, were primarily designed to exfiltrate sensitive information.
The attackers employed compromised email accounts to disseminate phishing messages. These emails contained links to legitimate file-sharing services such as DropMeFiles and Google Drive, with some links embedded within PDF attachments. The emails were crafted to create a sense of urgency, falsely claiming that a Ukrainian government agency intended to reduce salaries and urging recipients to click on the provided link to view a list of affected employees.
Upon clicking the link, recipients unknowingly downloaded a Visual Basic Script (VBS) loader. This loader executed a PowerShell script designed to harvest files with specific extensions and capture screenshots from the infected system. CERT-UA has named the VBS loader and the associated PowerShell malware WRECKSTEEL.
The threat actor behind these attacks is tracked as UAC-0219. Evidence suggests that this group has been active since at least the fall of 2024. Earlier campaigns by UAC-0219 utilized a combination of executable binaries, VBS-based stealers, and legitimate software like the image editor IrfanView to achieve their objectives.
In a related development, a phishing campaign has been targeting defense and aerospace entities connected to the ongoing conflict in Ukraine. The attackers aim to harvest webmail credentials through counterfeit login pages. These malicious pages were constructed using Mailu, an open-source mail server software available on GitHub. The focus on organizations involved in Ukraine’s defense and telecommunications infrastructure indicates an intent to gather intelligence related to the conflict.
Additionally, Russia-aligned threat groups such as UAC-0050 and UAC-0006 have been observed conducting financially and espionage-motivated spam campaigns since early 2025. These campaigns primarily target sectors including government, defense, energy, and non-governmental organizations. The malware families distributed in these campaigns include sLoad, Remcos RAT, NetSupport RAT, and SmokeLoader.
The cybersecurity landscape in the region remains volatile, with various threat actors continuously evolving their tactics to exploit vulnerabilities and gather intelligence. Organizations are urged to remain vigilant, implement robust security measures, and educate their personnel about the risks associated with phishing and other cyber threats.
