Listen to this Post
Ukrainian Government Under Siege: A New Wave of Cyberattacks Unleashed in 2024-2025
Since early 2024, Ukraine has been facing a relentless wave of cyberattacks targeting its government bodies and critical infrastructure. In a recent alert, the Computer Emergency Response Team of Ukraine (CERT-UA) exposed the latest threat — a highly coordinated campaign attributed to the threat actor known as UAC-0219. This group has deployed a custom-built malicious tool named WRECKSTEEL, utilizing deceptive phishing tactics and public file-sharing services to execute data theft and espionage.
The attackers have refined their techniques throughout the campaign, switching from third-party hacking tools to native PowerShell scripts, indicating increasing sophistication. This evolution of tactics makes detection significantly harder, while enabling deep infiltration into Ukrainian systems.
Campaign Summary: How UAC-0219 Operates (30-line Breakdown)
– Target Audience: Ukrainian government agencies and infrastructure.
– Timeline: Active since 2024, continues into 2025.
- Threat Actor: Identified as UAC-0219, likely state-aligned, focused on espionage and data theft.
- Initial Vector: Phishing emails crafted to resemble legitimate communication from agencies or HR departments.
- Lure Topics: Common bureaucratic matters like salary changes are used to increase click-through rates.
- Payload Delivery: Emails include links to seemingly legitimate sites like DropMeFiles.
- Malicious File: A file disguised as a PDF (e.g.,
Spisok_spivrobitnykiv_na_zmenshennya_zarobitnoyi_platy_27_03_PDF.js) is downloaded. - True Nature of File: It’s a JavaScript-based VBScript loader, not an actual PDF document.
- Script Execution: Once triggered, it launches a PowerShell payload hosted at a malicious server (e.g., `http://107[.]189[.]20[.]74/scream.ps1`).
- PowerShell Role: Collects sensitive data and screenshots, then exfiltrates them to the attacker’s infrastructure.
- Previous Methods: Earlier campaigns used NSIS-packed EXE files.
- Evolution: 2025 attacks rely entirely on built-in Windows tools, enhancing stealth.
- Malware Identified: The full malicious toolkit is named WRECKSTEEL.
- Code Base: Written in VBScript and PowerShell variants.
– Exfiltration Targets: Documents, login credentials, screen activity.
- Execution Chain: Phishing → JavaScript → VBScript loader → PowerShell → Data Theft.
- Stealth Mechanism: Native scripting avoids traditional antivirus detection.
- Public Hosting Abuse: Uses trusted services to distribute malware, evading email filters.
– Intended Impact: Espionage, surveillance, disruption of operations.
- CERT-UA Advisory: Issued public alerts and guidelines to mitigate the threat.
- Indicators of Compromise (IOCs): Specific domains, file names, scripts outlined in CERT-UA briefings.
- Victim Behavior: Engaging with email links and executing downloaded files.
- Toolset Adaptability: Modular structure enables quick updates to avoid detection.
- Phishing Content: In native language, making it highly believable.
- Success Factors: Psychological manipulation, social engineering, stealth technology.
- Attribution Confidence: High — based on behavioral patterns and tool reuse.
- Impact: Significant data loss, operational risks for Ukrainian entities.
- International Concern: Growing fears of similar tactics spreading to other regions.
- Current Status: Active — organizations advised to strengthen defenses.
- Defensive Recommendations: Disable macro/script execution, monitor PowerShell usage, update endpoint protection.
- Detection Difficulty: Very high, due to PowerShell-based native execution.
- Tool Flexibility: Designed to steal a wide range of information.
– End Goal: Long-term infiltration and intelligence gathering.
What Undercode Say: Deep Dive Into the WRECKSTEEL Operation
From a cybersecurity
1. Phishing Precision
The attackers didn’t blast random spam. These phishing emails were meticulously designed to match internal government communication styles, in the Ukrainian language, and tied to sensitive workplace topics. This increases the click rate exponentially. A clever social engineering move.
2. Native Tools, No Fuss
Moving away from third-party malware toward PowerShell-based payloads marks a shift in strategy that aligns with the “living off the land” approach. It allows the malware to blend in with regular administrative activity, making forensic detection significantly harder.
3. Decoy File Names
The malicious file’s name (Spisok_spivrobitnykiv_na_zmenshennya_zarobitnoyi_platy) translates roughly to “List of employees with reduced salaries.” That alone is enough to spark curiosity or concern among employees, which increases the attack’s success rate.
4. WRECKSTEEL Malware: A Silent Thief
Unlike ransomware or noisy attacks, WRECKSTEEL is all about stealth. It does not alert the victim. It quietly gathers screenshots, documents, and other sensitive data, shipping it out to command-and-control servers — a digital surveillance operation more than a smash-and-grab.
5. DropMeFiles Exploitation
Using publicly accessible file-sharing platforms is a clever way to bypass corporate firewalls and filters. These services are trusted, so links are unlikely to be blocked by default. It’s a calculated abuse of trust in benign infrastructure.
6. Evolution of the Toolkit
Earlier variants using NSIS-packed executables show that the attackers were initially testing the waters with off-the-shelf tools. The move to custom PowerShell payloads in 2025 indicates a scaling up in resources, funding, or strategic importance.
7. Long-Term Espionage, Not Destruction
This
8. Cyber Hygiene Needed Now More Than Ever
For defense, organizations must increase user awareness, implement strict access policies, and especially monitor all scripting activity. PowerShell logging, behavior analytics, and sandboxing suspicious links can help thwart similar attacks.
9. The Broader Context
Given the backdrop of ongoing geopolitical conflict, these attacks are more than digital crimes — they are state-sponsored operations aiming to destabilize, surveil, or outmaneuver Ukrainian institutions.
10. UAC-0219 in the Spotlight
Although public information about UAC-0219 is limited, the tactics, tools, and targets align with state-aligned cyber espionage groups. The campaign bears resemblance to previous APT-style attacks seen
References:
Reported By: https://www.bitdefender.com/en-us/blog/hotforsecurity/wrecksteel-fake-emails-spy-ukrainian
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





