{
	"id": "e3fad73d-68bc-4fa2-88b9-ab0303fb8330",
	"created_at": "2026-04-06T00:14:17.279923Z",
	"updated_at": "2026-04-10T03:33:36.987996Z",
	"deleted_at": null,
	"sha1_hash": "0b79087700965663f68c6074f8008588f66a8a70",
	"title": "UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46239,
	"plain_text": "UAC-0219 Attack Detection: A New Cyber-Espionage Campaign\r\nUsing a PowerShell Stealer WRECKSTEEL\r\nBy Veronika Zahorulko\r\nPublished: 2025-04-03 · Archived: 2026-04-05 19:23:22 UTC\r\nIn late March 2025, CERT-UA observed a surge in cyber-espionage operations targeting Ukraine, orchestrated by\r\nthe UAC-0200 hacking group using DarkCrystal RAT. Researchers have recently uncovered at least three other\r\ncyber-espionage attacks throughout March against state bodies and critical infrastructure organizations in Ukraine,\r\naiming to steal sensitive information from compromised systems using specialized malware. These attacks are\r\nattributed to the UAC-0219 hacking collective and rely on WRECKSTEEL malware, which has been observed in\r\nboth VBScript and PowerShell variants.\r\nDetect UAC-0219 Attacks Using WRECKSTEEL Covered in CERT-UA#14283\r\nAlert\r\nAccording to Cyble’s research, phishing remained the dominant attack vector in Ukraine’s cyber threat landscape\r\nin 2024, with attackers using spear-phishing emails containing malicious links or attachments to exploit human\r\nerror as an entry point.\r\nAt the turn of April 2025, CERT-UA issued an alert CERT-UA#14283 warning the global cyber defender\r\ncommunity of at least three cyber-espionage incidents focused on data theft using the specialized PowerShell-based stealer dubbed WRECKSTEEL.\r\nSOC Prime Platform for collective cyber defense curates a dedicated collection of Sigma rules to help enterprises,\r\nincluding government agencies and critical infrastructure organizations, proactively defend against UAC-0219\r\nattacks covered in the CERT-UA#14283 alert. Click the Explore Detections button to instantly access a relevant\r\nset of detection algorithms compatible with multiple cloud-native and on-prem SIEM, EDR, and Data Lake\r\nsolutions, aligned with MITRE ATT\u0026CK®, and enhanced with comprehensive threat intel. \r\nExplore Detections\r\nAlternatively, security teams can directly apply the corresponding “UAC-0219” or  “WRECKSTEEL” tags to\r\nrefine their content search within the Detection-as-Code library on SOC Prime Platform. \r\nSecurity engineers can also rely on Uncoder AI to simplify IOC matching and enhance retrospective threat\r\nhunting. This private IDE and AI-powered co-pilot for threat-informed detection engineering seamlessly converts\r\nIOCs from the relevant CERT-UA research into custom hunting queries, ready for use in SIEM or EDR\r\nenvironments to identify potential UAC-0219 threats.\r\nRely on Uncoder AI to hunt for IOCs from the CERT-UA#14283 alert and timely spot intrusions by UAC-0219\r\nactors.\r\nhttps://socprime.com/blog/detect-uac-0219-attacks-against-ukrainian-state-bodies/\r\nPage 1 of 2\n\nUAC-0219 Attack Analysis\r\nCERT-UA continues to systematically collect and analyze cyber incident data to provide up-to-date threat\r\nintelligence. In March 2025, at least three cyber-attacks against government agencies and the critical infrastructure\r\nsector in Ukraine were observed in the cyber threat landscape linked to the UAC-0219 hacking group. Adversaries\r\nprimarily relied on WRECKSTEEL malware designed for file exfiltration, available in both its VBScript and\r\nPowerShell iterations.\r\nIn this latest campaign addressed in the corresponding CERT-UA#14283 heads-up, the group leveraged\r\ncompromised accounts to distribute phishing emails containing links to public file-sharing services such as\r\nDropMeFiles and Google Drive. In some cases, these links were embedded within PDF attachments. Clicking\r\nthese links triggered the download and execution of a VBScript loader (typically with a .js extension), which then\r\nexecuted a PowerShell script. This script was designed to search for and exfiltrate files of specific extensions\r\n(.doc, .txt, .xls, .pdf, etc.) and capture screenshots using cURL.\r\nAnalysis indicates that this malicious activity has been ongoing since at least fall 2024. Previously, threat actors\r\ndeployed EXE files created with the NSIS installer, which contained decoy documents (PDF, JPG), a VBScript-based stealer, and the image viewer “IrfanView” for taking screenshots. However, since 2025, the screenshot-capturing functionality has been integrated into PowerShell.\r\nMITRE ATT\u0026CK® Context\r\nLeveraging MITRE ATT\u0026CK provides in-depth visibility into the context of the latest UAC-0219 cyber-espionage operation targeting state bodies and critical infrastructure organizations in Ukraine. Explore the table\r\nbelow to see the full list of dedicated Sigma rules addressing the corresponding ATT\u0026CK tactics, techniques, and\r\nsub-techniques. \r\nSource: https://socprime.com/blog/detect-uac-0219-attacks-against-ukrainian-state-bodies/\r\nhttps://socprime.com/blog/detect-uac-0219-attacks-against-ukrainian-state-bodies/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/detect-uac-0219-attacks-against-ukrainian-state-bodies/"
	],
	"report_names": [
		"detect-uac-0219-attacks-against-ukrainian-state-bodies"
	],
	"threat_actors": [
		{
			"id": "1207a5fc-7a08-4804-97d5-848f2c170a4e",
			"created_at": "2025-05-29T02:00:03.199991Z",
			"updated_at": "2026-04-10T02:00:03.856819Z",
			"deleted_at": null,
			"main_name": "UAC-0219",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0219",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b79087700965663f68c6074f8008588f66a8a70.pdf",
		"text": "https://archive.orkl.eu/0b79087700965663f68c6074f8008588f66a8a70.txt",
		"img": "https://archive.orkl.eu/0b79087700965663f68c6074f8008588f66a8a70.jpg"
	}
}