CERT-UA Uncovers Coordinated Cyber Attacks on Ukrainian Critical Infrastructure

Ukraine’s Computer Emergency Response Team (CERT-UA) has reported a series of coordinated cyberattacks targeting state administration bodies and critical infrastructure, aimed at stealing sensitive data.

The attackers leveraged compromised email accounts to deliver phishing emails containing malicious links hosted on legitimate platforms like DropMeFiles and Google Drive—often embedded within PDF attachments. These emails attempted to spark urgency by falsely claiming that a Ukrainian government agency intended to cut employee salaries, prompting recipients to click and view a list of affected personnel.

Following the link resulted in the download of a Visual Basic Script (VBS) loader, which in turn executed a PowerShell script designed to exfiltrate files with specific extensions and capture screenshots from the victim's device.

This malicious activity is attributed to the threat actor UAC-0219 and has been ongoing since at least fall 2024. Early variants used EXE binaries, a VBS-based stealer, and the IrfanView image editor as part of the attack toolset. CERT-UA has named the VBS and PowerShell malware WRECKSTEEL, though no nation-state attribution has been made.

These attacks coincide with other phishing campaigns targeting defense and aerospace organizations involved in Ukraine’s conflict. According to DomainTools Investigations (DTI), threat actors created spoofed login pages using Mailu, an open-source mail server, in a likely effort to gather military-related intelligence.

Meanwhile, Russia-aligned threat groups such as UAC-0050 and UAC-0006 have been active since early 2025, distributing malware like sLoad, Remcos RAT, NetSupport RAT, and SmokeLoader across sectors including government, energy, and NGOs.

Elsewhere, Russian organizations are also facing threats. Kaspersky recently disclosed that the group Head Mare has targeted Russian entities with a backdoor named PhantomPyramid, capable of receiving commands from a remote server and downloading further payloads like MeshAgent.

Another Russia-focused group, Unicorn, has been phishing energy companies and electronic component suppliers with a VBS trojan that steals files and images.

Additionally, SEQRITE Labs uncovered a campaign dubbed Operation HollowQuill, targeting Russian academic, government, aerospace, and defense networks since December 2024. The operation uses social engineering and weaponized decoy documents, disguised as official government communications or research invitations, to lure victims.

Victims are sent malicious RAR archives containing a .NET malware dropper, which installs a Golang-based shellcode loader, a legitimate OneDrive executable, and a decoy PDF—all culminating in the deployment of the Cobalt Strike framework.

These findings highlight the increasingly complex and persistent nature of cyber warfare, with threat actors on both sides leveraging phishing, social engineering, and multi-stage malware attacks to achieve their objectives.