In 2024, the computer emergency response team of Ukraine (CERT-UA) reported that hackers carried out at least three cyberattacks on state administration bodies and critical infrastructure facilities in Ukraine. Their aim was to steal sensitive information.
The agency said hackers used hacked email accounts to send phishing emails containing links to trusted websites like DropMefiles and Google Drive. Sometimes, these links were hidden inside PDF files.
The digital missive sought to induce a false sense of urgency and trick people. They claimed that a Ukrainian government agency was planning to reduce salaries and asked the recipients to click the link to see the list of affected employees.
When the victim visits the link in the phishing emails, a harmful Visual Basic Script (VBS) file is downloaded. This script then runs another program (a PowerShell Script) that looks for specific types of files and takes screenshots of the infected computer.
These cyberattacks are linked to a threat cluster tracked as UAC-0219, which has been active since at least fall 2024. Earlier attacks used different methods, including EXE (executable files), another type of stealing script (VBS stealer), and a real image editing program called Irfan View to help carry out the attack.
CERT-UA has named the harmful VBS script and PowerShell malware WRECKSTEEL. However, it is unclear which country or group is behind these attacks.
The cybersecurity company Kaspersky has warned that a hacker group called Head Mare is attacking Russian organizations. They are using a type of malware called PhantomPyramid, which allows attackers to control infected computers remotely and install other harmful programs like MeshAgent.
Another hacker group, Unicorn, has been targeting Russian energy companies, industrial enterprises, and suppliers and developers of electronic component organizations. They send phishing attacks with a harmful VBS trojan that steals files and pictures from infected computers.
Meanwhile, SEQRITE Labs reported that important Russian organizations, including universities, government offices, and defense companies, are being attacked using fake documents attached to phishing emails. This attack, called Operation HollowQuill, is believed to have started in December 2024.
The attackers are tricking people using social engineering. They make harmful PDF files look like official research invites or government messages, making users more likely to open them.
A security expert, Subhajeet Singha, explained that the hacker sends a RAR file (a compressed folder) that contains a harmful program called a NET malware dropper, a shellcode loader, a real OneDrive app, a fake PDF, and a harmful tool called Cobalt Strike, which helps attackers control the computer.
This whole process was designed to secretly infect the victim’s system while they think they’re just opening a normal file.
