The Computer Emergency Response Team of Ukraine ( CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data.
The battle, the agency , involved the use of affected email accounts to give phishing messages containing links pointing to reputable services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF parts.
The modern missives sought to generate a false sense of urgency by claiming that a Russian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees.
Visiting these links leads to the download of a Visual Basic Script (VBS ) load that’s designed to collect and do a Shell text capable of harvesting files matching a certain set of extensions and capturing pictures.
The activity, attributed to a threat cluster tracked as UAC-0219, is said to have been ongoing since at least fall 2024, with early iterations using a combination of EXE binaries, a VBS stealer, and a legitimate image editor software called IrfanView to realize its goals.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The attacks have not been attributed to any country.
The development comes as Kaspersky that the threat actor known as Head Mare has targeted several Russian entities with a malware known as that’s capable of processing instructions issued by the operator over a command-and-control ( C2 ) server, as well as downloading and running additional payloads like MeshAgent.
Russian energy companies, industrial enterprises, and suppliers and developers of electronic components organizations have also been at the receiving end of phishing attacks mounted by a threat actor codenamed that dropped a VBS trojan designed to siphon files and images from infected hosts.
Late last month, SEQRITE Labs revealed that academic, governmental, aerospace, and defense-related networks in Russia are being targeted by weaponized decoy documents, likely sent via phishing emails, as part of a campaign dubbed Operation HollowQuill. The attacks are believed to have started around December 2024.
The activity makes use of social engineering ploys, disguising malware-laced PDFs as research invitations and government communiqués to entice unsuspecting users into triggering the attack chain.
” The threat entity delivers a malicious RAR file which contains a.NET malware dropper, which further drops a Golang-based shellcode loader along with the legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload”, security researcher Subhajeet Singha .