CERT-UA Reports: March 2025 Cyberattacks on Ukrainian Agencies Using WRECKSTEEL Malware
In March 2025, CERT-UA reported three cyberattacks targeting Ukrainian state agencies and critical infrastructure, utilizing WRECKSTEEL malware to steal sensitive data. Learn about the tactics, tools, and preventive measures.
TL;DR
In March 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) reported three cyberattacks targeting Ukrainian state agencies and critical infrastructure. The attacks aimed to steal sensitive data using WRECKSTEEL malware. The malware employed various tactics, including compromised accounts, phishing emails, and data exfiltration tools.
- Key Takeaways:
- Attacks Identified: CERT-UA reported three cyberattacks in March 2025.
- Target: Ukrainian state agencies and critical infrastructure.
- Malware Used: WRECKSTEEL malware for data theft.
- Tactics: Compromised accounts, phishing emails, and data exfiltration.
CERT-UA Reports March 2025 Cyberattacks on Ukrainian Agencies
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyberattacks targeting Ukrainian state agencies and critical infrastructure in March 2025. These attacks, tracked under the identifier UAC-0219, aimed to collect and steal sensitive information using advanced malware tools1.
Overview of the Attacks
According to the report published by CERT-UA, at least three significant cyberattacks were recorded during March 2025. These incidents targeted government agencies and critical infrastructure facilities, with the primary goal of exfiltrating sensitive data from compromised systems1.
Tactics and Tools Employed
The threat actors behind these attacks employed a variety of tactics to infiltrate and steal data:
- Compromised Accounts: Since fall 2024, attackers have been using compromised accounts to send phishing emails containing links to malicious files hosted on platforms like DropMeFiles and Google Drive.
- VBScript Loaders: These links led to VBScript loaders that downloaded PowerShell scripts. The scripts were designed to search for sensitive files and take screenshots, which were then exfiltrated using cURL.
- NSIS Installers: The attackers also utilized NSIS installers bundled with decoy files and legitimate software like IrfanView to evade detection. Notably, the screenshot functionality shifted to PowerShell starting from 2025.
- Targeted File Types: The malware targeted various file types, including .doc, .pdf, .xls, and .png, among others.
WRECKSTEEL Malware
The primary tool used for stealing files, known as WRECKSTEEL, has versions in both VBScript and PowerShell. Since the stealers are not persistent, any signs of cyberattacks should be reported to CERT-UA immediately for prompt cyber protection measures1.
Indicators of Compromise (IoCs)
The report includes a list of indicators of compromise (IoCs) to help organizations identify and mitigate potential threats1.
Conclusion
The March 2025 cyberattacks on Ukrainian agencies highlight the ongoing threat of sophisticated malware campaigns targeting critical infrastructure. Organizations must remain vigilant and implement robust cybersecurity measures to protect against such threats. For more details, visit the full article.
Additional Resources
For further insights, check:
References
-
CERT-UA (2025-04-04). “CERT-UA Reports Attacks in March 2025 Targeting Ukrainian Agencies with WRECKSTEEL Malware”. CERT-UA. Retrieved 2025-04-04. ↩︎ ↩︎2 ↩︎3 ↩︎4