{ "name": "Cyber Espionage using PowerShell stealer WRECKSTEEL", "slug": "cyber-espionage-using-powershell-stealer-wrecksteel", "description": "Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. These links download a VBScript loader, which then launches a PowerShell script to search and upload specific file types using cURL. The malicious activity, tracked as UAC-0219, has been ongoing since fall 2024. The primary tool, classified as WRECKSTEEL, exists in both VBScript and PowerShell versions. Earlier attacks in 2024 used EXE files created with NSIS installers, containing decoy documents and the IrfanView program for screenshots. CERT-UA urges immediate reporting of any detected cyberattack signs.", "published": "2025-04-03T16:27:42+00:00", "created_at": "2025-04-03T16:27:42+00:00", "modified_at": "2025-04-03T17:04:15+00:00", "created_at_opencti": "2025-04-03T16:27:42+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-04-03", "critical-infrastructure", "cyber espionage", "file stealing", "government", "powershell", "ukraine", "vbscript", "wrecksteel" ], "related_entities": { "observables": [ { "id": "", "name": "45.61.159.252" }, { "id": "", "name": "91.203.63.10" }, { "id": "", "name": "45.61.157.179" }, { "id": "", "name": "185.212.44.87" }, { "id": "", "name": "172.86.88.15" }, { "id": "", "name": "172.86.88.186" }, { "id": "", "name": "172.86.84.84" }, { "id": "", "name": "172.86.65.194" }, { "id": "", "name": "172.86.72.194" }, { "id": "", "name": "172.86.122.94" }, { "id": "", "name": "172.86.116.135" }, { "id": "", "name": "172.86.114.149" }, { "id": "", "name": "144.172.98.178" }, { "id": "", "name": "143.244.46.116" }, { "id": "", "name": "45.61.141.215" }, { "id": "", "name": "172.86.104.17" }, { "id": "", "name": "107.189.20.74" }, { "id": "", "name": "www.eschool-ua.online" }, { "id": "", "name": "http://mfashara.com/" }, { "id": "", "name": "http://iocreestr.tech/zakon_rada/cabinet_ministriv_postanova_1559_2024/read/" }, { "id": "", "name": "http://dropmefiles.top/ua/d/ebc5ka/d996e31032e7c288d7e20e7b82221c20/aefdd4d762a9657db41c23f9c4de424a" }, { "id": "", "name": "http://dropmefiles.cc/ua/d/pweym/db923cfd3b8b67f23a1b6dee06f1f66c/62bef3a44fd6eb0da37ffb4121c6f354" }, { "id": "", "name": "http://drobbox.cloud/" }, { "id": "", "name": "http://45.61.159.252/visa_letter.exe" }, { "id": "", "name": "http://45.61.157.179/upload" }, { "id": "", "name": "http://45.61.157.179/script.ps1'" }, { "id": "", "name": "http://172.86.88.186/upload" }, { "id": "", "name": "http://45.61.157.179/script.ps1" }, { "id": "", "name": "http://172.86.88.186/scripttest2.ps1" }, { "id": "", "name": "http://172.86.88.186/List_of_spivrobitnykiv_for_reducing_wage_10.03_PDF.pdf" }, { "id": "", "name": "http://172.86.88.15/upload" }, { "id": "", "name": "http://172.86.88.15/scripttest.ps1'" }, { "id": "", "name": "http://172.86.88.15/Spisok_spivrobitnykiv_na_zmenshennya_zarobitnoyi_plati_06.03_PDF.pdf" }, { "id": "", "name": "http://172.86.88.15/scripttest.ps1" }, { "id": "", "name": "http://172.86.122.94/scrxxx.ps1'" }, { "id": "", "name": "http://172.86.114.149:80/upload" }, { "id": "", "name": "http://172.86.114.149/seeddoc.exe" }, { "id": "", "name": "http://172.86.104.17/upload" }, { "id": "", "name": "http://172.86.104.17/scratest.ps1'" }, { "id": "", "name": "http://172.86.104.17/scratest.ps1" }, { "id": "", "name": "http://172.86.104.17/Zmini_v_hrafiku_roboti_spivrobitnykiv_14.04.2025_PDF.pdf" }, { "id": "", "name": "http://167.88.167.254:80/upload" }, { "id": "", "name": "http://144.172.98.178/upload" }, { "id": "", "name": "http://144.172.98.178/scretest.ps1'" }, { "id": "", "name": "http://144.172.98.178/List_of_employees_for_reduction_of_salary_20.03_PDF.pdf" }, { "id": "", "name": "http://144.172.98.178/scretest.ps1" }, { "id": "", "name": "http://107.189.20.74/screvan.ps1'" }, { "id": "", "name": "eschool-ua.online" }, { "id": "", "name": "dropmefiles.top" }, { "id": "", "name": "dropmefiles.cc" }, { "id": "", "name": "f2ee357c18fb1a3d229a365023456b4ce561db62e761e427fef638ec0f371ede" }, { "id": "", "name": "ee8d452a1cc9bcd7e0f002a901a4ce63ddf98c0e13cba415f7325cd9cdccf0b8" }, { "id": "", "name": "e7fdee4fab59f8c4351e3c9e0a478803df9c7ac5f9163d13f476d9bb4abce5ee" }, { "id": "", "name": "d26aa72fd238c0408fd365b96d8aa9662be3d4c9d479309bef428e34831aaf42" }, { "id": "", "name": "cae156d492a4aa07e3d3e4b15f843308c09df7f2c8bf44d9e7093b4393e01fe1" }, { "id": "", "name": "c386bce3de6854bd1424467242f9cf95271de39890b5a2fb3e884e509b1b03c6" }, { "id": "", "name": "a3d91c4c039e50718d930cd5251e382f0f3997ec63e872539644b8c735bd4961" }, { "id": "", "name": "c02e57c49d940a279852109a06c19a78052dd51300975037413133c1a79e97ac" }, { "id": "", "name": "9a921a344913d442430a31a3dc1d01aff2b416ca601fed68633021ffefc92fab" }, { "id": "", "name": "92f961d3cb29eda1214c24c0f882f49fb9e43885f696ebec2891380e6e4ec400" }, { "id": "", "name": "8acb7292c2b1163746296941977d191ef8d5fcf8bd646e4f5c4ab8718fe7b866" }, { "id": "", "name": "89534f86ab5daaf55ce818872960eaa4eb64f4cc19118feea690638bf1156528" }, { "id": "", "name": "84b438fac113615c2e81f440de2cafa4e2ccd74adc4867d73df30bb9d01dcdb6" }, { "id": "", "name": "6089e28a711e519890b05283de1e4abb7b63aa4d09e7ab90a92f65585779fa4b" }, { "id": "", "name": "566609e0e042b611c9d929cb94be4b5a17e7dbb884b4ebd2e0d68adc9fa6bf73" }, { "id": "", "name": "4bdaa2e9bc6c6986981d039b29085683ed36b5c2549466101a81ad660281465c" }, { "id": "", "name": "3c6c0ed1ff12b5489a6838b7a9d4ab84bb8e2b5f0b46fb093b39b0f030b5ef16" }, { "id": "", "name": "2e38f3413f88b38ac5f958de12e6fec37dd53de3f8fb1644172e112346e5ede2" }, { "id": "", "name": "24885b72dc3ce5cc1530fd003bcbfb108d311de1a4ce828cb7cdc2411e705337" }, { "id": "", "name": "1dc1d8ccb2ca280ef9083c334432909d2a9f86eca225252a3e9a4708adc98931" }, { "id": "", "name": "1235bf9c1b0d2a54e451b512ad34a81774d637ae58436416388fb3b7f901ad6e" } ], "malware": [ { "id": "legacy:malware:66ecbf51fa1a703e", "name": "WRECKSTEEL", "slug": "wrecksteel" } ], "intrusion_sets": [ { "id": "d6fa124a-6bef-4c26-933d-42c0a731166b", "name": "UAC-0219", "slug": "uac-0219" } ], "attack_patterns": [ { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "1e73eaa9-ea78-444b-b3a3-5842f5d35115", "name": "T1074" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "others": [ { "id": "", "name": "Ukraine" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/67eed31e2e5388397fc6bf7e" ] }