Full Report
In late March 2025, CERT-UA observed a surge in cyber-espionage operations targeting Ukraine, orchestrated by the UAC-0200 hacking group using DarkCrystal RAT. Researchers have recently uncovered at least three other cyber-espionage attacks throughout March against state bodies and critical infrastructure organizations in Ukraine, aiming to steal sensitive information from compromised systems using specialized malware. These […] The post UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL appeared first on SOC Prime.
Analysis Summary
# Threat Actor: UAC-0219
## Attribution & Identity
This threat actor is identified as the **UAC-0219 hacking collective**. They are performing cyber-espionage operations. The article also mentions the **UAC-0200** hacking group using DarkCrystal RAT operating concurrently in the region, but UAC-0219 is the focus of this specific campaign involving WRECKSTEEL.
## Activity Summary
UAC-0219 conducted a cyber-espionage campaign observed in late March 2025, detailed in CERT-UA Alert #14283. This campaign targeted Ukrainian state bodies and critical infrastructure organizations with the primary objective of stealing sensitive information. The activity has been ongoing since at least fall 2024. The group used compromised accounts to distribute spear-phishing emails containing malicious links, often embedded in PDF attachments. These links pointed to public file-sharing services like DropMeFiles and Google Drive.
## Tactics, Techniques & Procedures
The primary malware used is **WRECKSTEEL**, observed in both VBScript and PowerShell variants.
- **Initial Access:** Spear-phishing emails with malicious links delivered via public file-sharing services (DropMeFiles, Google Drive), sometimes embedded within PDF attachments.
- **Execution Chain:** Malicious link triggers download/execution of a VBScript loader (often disguised as `.js`), which subsequently executes a PowerShell script.
- **Collection:** PowerShell script searches for and exfiltrates files with specific extensions (.doc, .txt, .xls, .pdf, etc.).
- **Screen Capture:** Screenshots are captured, previously using the “IrfanView” utility initiated via an NSIS installer, but since 2025, this functionality has been integrated directly into PowerShell.
- **Older/Alternative TTPs:** Previously deployed EXE files created with NSIS installers containing decoy documents, a VBScript-based stealer, and IrfanView.
**MITRE ATT&CK Mapping:**
- **Execution:**
- Command and Scripting Interpreter: PowerShell (T1059.001)
- Command and Scripting Interpreter: Visual Basic (T1059.005)
- Command and Scripting Interpreter: JavaScript (T1059.007)
- **Defense Evasion:**
- Masquerading: Double File Extension (T1036.007)
- Hide Artifacts: Hidden Window (T1564.003)
- **Discovery:**
- System Network Configuration Discovery (T1016)
- System Information Discovery (T1082)
- **Collection:**
- Screen Capture (T1113)
- **Command and Control:**
- Application Layer Protocol: Web Protocols (T1071.001)
- Ingress Tool Transfer (T1105)
- **Exfiltration:**
- Exfiltration Over Web Services (T1567) (Implied via use of file-sharing services)
## Targeting
- **Sectors:** Government agencies and critical infrastructure organizations.
- **Geography:** Ukraine.
- **Victims:** State bodies and critical infrastructure organizations.
## Tools & Infrastructure
- **Malware families used:** WRECKSTEEL (PowerShell and VBScript variants), VBScript loader.
- **Infrastructure (C2, domains, IPs):** Public file-sharing services utilized for initial payload delivery: DropMeFiles and Google Drive.
## Implications
UAC-0219 is a persistent cyber-espionage threat specifically focused on high-value targets within Ukrainian government and critical infrastructure sectors. Their recent switch to integrating screenshot functionality directly into PowerShell, moving away from external tools like IrfanView, suggests an effort to streamline operations and potentially increase stealth by relying on native Windows capabilities for key collection tasks.
## Mitigations
- Implement detection mechanisms (like Sigma rules referenced in CERT-UA#14283) focused on WRECKSTEEL indicators and observed PowerShell/VBScript execution patterns.
- Enhance monitoring for suspicious execution chains involving VBScript loading PowerShell scripts.
- Scrutinize network traffic originating from PowerShell or WScript/CScript processes, especially concerning outbound connections to known public file-sharing services for data staging or exfiltration.
- Strengthen defenses against spear-phishing, focusing on user education regarding malicious links delivered via emails or embedded in document attachments.
- Hunt for reconnaissance TTPs, including WMI usage via PowerShell (`T1082`) and network configuration checks (`T1016`).