CyberSecurityBoard
Sponsor Register Login

UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers

It then uploads them to command and control servers using several identified IP addresses including 172.86.114.149, 167.88.167.254, and 45.61.157.179, creating a persistent data exfiltration channel that threatens Ukrainian national security. Their analysis revealed the threat has evolved since fall 2024, with early variants using the “IrfanView” graphics editor for creating screenshots, while 2025 versions implement this functionality natively in PowerShell. Ukrainian government agencies and critical infrastructure are facing targeted cyberattacks from threat actor UAC-0219 using the information stealer WRECKSTEEL. The WRECKSTEEL malware represents a significant cyber espionage threat specifically targeting Ukrainian organizations. Organizations should implement security measures to detect suspicious email attachments and monitor outbound connections to the identified command and control infrastructure. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The campaign distributes phishing emails with malicious links to public file services like DropMeFiles and Google Drive, often embedded in official-looking PDF attachments with names suggesting important documents such as employee lists or work schedules. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. CERT-UA researchers noted this campaign in March 2025, documenting at least three significant attacks against Ukrainian government entities. Upon clicking these links, victims unknowingly download a VBScript loader (typically with a .js extension) that subsequently deploys a PowerShell script designed to search for and exfiltrate sensitive files. A sophisticated new variant of the Triada malware family has emerged, targeting Android devices with the capability to intercept and modify outgoing calls.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 16:30:16 +0000


Cyber News related to UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers

UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers - It then uploads them to command and control servers using several identified IP addresses including 172.86.114.149, 167.88.167.254, and 45.61.157.179, creating a persistent data exfiltration channel that threatens Ukrainian national security. Their ...
9 months ago Cybersecuritynews.com
Threat landscape for industrial automation systems. H2 2023 - In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%. Percentage of ICS computers on which malicious objects were blocked, by half year. In H2 2023, building automation once ...
1 year ago Securelist.com
Threat landscape for industrial automation systems, Q1 2024 - In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%. Compared to the first quarter of 2023, the percentage decreased by 1.3 pp. Percentage of ICS ...
1 year ago Securelist.com
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms - In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In this blog post, we'll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE ...
2 years ago Securityboulevard.com
'Ov3r Stealer' Malware Spreads Through Facebook to Steal Crates of Info - The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according ...
1 year ago Darkreading.com
Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
2 years ago Gbhackers.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
Hackers-for-hire target Ukrainian notaries to manipulate state registries | The Record from Recorded Future News - In its latest operation, UAC-0173 infected the targeted computers with DarkCrystal malware — a commercial Russian backdoor that appears to have been developed and maintained by a single person and sold predominantly on Russian underground forums ...
10 months ago Therecord.media
UAC Bypass: 3 Methods Used Malware In Windows 11 in 2024 - User Account Control is one of the security measures introduced by Microsoft to prevent malicious software from executing without the user's knowledge. Modern malware has found effective ways to bypass this barrier and ensure silent deployment on the ...
1 year ago Cybersecuritynews.com
Facebook ads push new Ov3r Stealer password-stealing malware - A new password-stealing malware named Ov3r Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. The fake job ads are for management positions and lead users to a Discord URL where a ...
1 year ago Bleepingcomputer.com
New NightShadeC2 Botnet Uses UAC Prompt Bombing to Evade Detection - A new botnet named NightShadeC2 has been discovered employing a novel technique called UAC prompt bombing to bypass User Account Control (UAC) defenses on Windows systems. This innovative approach overwhelms the UAC prompts, effectively desensitizing ...
4 months ago Cybersecuritynews.com
Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials - A newly discovered .NET-based infostealer dubbed “Chihuahua Stealer” has emerged as a significant threat, exploiting Google Drive documents to deliver malicious PowerShell scripts and steal sensitive data. Organizations are advised to ...
8 months ago Cybersecuritynews.com
Variants of RussianSupported Gamaredons Malware Aimed at Ukrainian Government Agencies - The State Cyber Protection Centre of Ukraine has identified the Russian state-sponsored threat actor known as Gamaredon for its cyber attacks on public authorities and critical information infrastructure in the country. This advanced persistent ...
2 years ago Thehackernews.com Turla
New Germlin Stealer Advertised on Hacker Forums Steals Credit Card Data & Login Credentials - Cyber Security News - For credit card data theft, Gremlin Stealer employs specialized functions that target stored payment information across multiple browsers. First spotted being advertised on underground forums and Telegram channels, Gremlin Stealer represents a ...
8 months ago Cybersecuritynews.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
1 year ago Bleepingcomputer.com
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
9 months ago Cybersecuritynews.com
RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool - A new version of the ScrubCrypt obfuscation tool is being used to target organizations with the RedLine Stealer malware, fraud sensor network Human Security has warned. Human's Satori Threat Intelligence Team said it has uncovered the new build of ...
2 years ago Infosecurity-magazine.com
Serpent Stealer Acquire Browser Passwords and Erases Logs - Beneath the surface of the cyber realm, a silent menace emerges-crafted with the precision of the. NET framework, the Serpent Stealer slithers undetected through security measures, leaving traces of its intrusion. It can also steal sensitive data, ...
2 years ago Gbhackers.com
Deceptive Cracked Software Spreads Lumma Variant on YouTube - FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and ...
2 years ago Feeds.fortinet.com
Octalyn Stealer Steals VPN Configurations, Passwords and Cookies in Structured Folders - A sophisticated new credential stealer disguised as a legitimate forensic toolkit has emerged on GitHub, targeting sensitive user data including VPN configurations, browser credentials, and cryptocurrency wallet information. The Octalyn Stealer, ...
5 months ago Cybersecuritynews.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
2 years ago Darkreading.com
New Android Malware 'Salvador Stealer' That Phish & Steals Your Banking Details & OTPs - Cybersecurity researchers have discovered a sophisticated new Android malware called “Salvador Stealer” that targets banking credentials and one-time passwords (OTPs) through an elaborate phishing scheme. Once active, Salvador Stealer ...
9 months ago Cybersecuritynews.com
MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF - FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off ...
2 years ago Cysecurity.news
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
2 years ago Gbhackers.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)