The Computer Emergency Response Team of Ukraine (CERT-UA) has reported multiple cyberattacks targeting Ukrainian government bodies and critical infrastructure to steal sensitive data. The attacks, attributed to the threat group UAC-0219, used phishing emails with links to legitimate file-sharing services, tricking recipients into downloading malware. The campaign, active since late 2024, deploys a Visual Basic Script (VBS) loader called WRECKSTEEL to execute a PowerShell script that steals files and captures screenshots.

In a related development, a phishing campaign targeting Ukraine’s defense and aerospace sectors was discovered, attempting to steal webmail credentials through fake login pages. Russia-aligned groups UAC-0050 and UAC-0006 have also been conducting financially and espionage-driven cyberattacks against governments, defense, energy, and NGOs, using malware like sLoad, Remcos RAT, and SmokeLoader.

Meanwhile, Russian entities have also faced cyber threats. The group Head Mare has targeted organizations with PhantomPyramid malware, which allows remote command execution and additional payload downloads. Another campaign by the group Unicorn has used a VBS trojan to steal files and images from Russian energy and industrial companies. Additionally, Operation HollowQuill, uncovered by SEQRITE Labs, has used phishing emails to target Russian governmental and defense networks, delivering a complex malware chain ending with a Cobalt Strike payload.

These attacks highlight the ongoing cyber warfare targeting both Ukraine and Russia, using phishing, social engineering, and sophisticated malware to steal intelligence and disrupt operations.

‍

‍

Source: https://thehackernews.com/2025/04/cert-ua-reports-cyberattacks-targeting.html