Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CERT-UA reports attacks in March 2025 targeting Ukrainian agencies with WRECKSTEEL Malware

CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data. The Computer Emergency Response Team of Ukraine (CERT-UA) reported three cyberattacks in March 2025 targeting Ukrainian agencies and infrastructure to steal sensitive data. This activity is tracked under the identifier UAC-0219. “The Ukrainian government’s computer emergency response team, CERT-UA, is […]

CERT-UA

CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.

The Computer Emergency Response Team of Ukraine (CERT-UA) reported three cyberattacks in March 2025 targeting Ukrainian agencies and infrastructure to steal sensitive data. This activity is tracked under the identifier UAC-0219.

“The Ukrainian government’s computer emergency response team, CERT-UA, is taking systematic measures to accumulate and analyze data on cyber incidents in order to provide up-to-date information on cyber threats.” reads the report published by CERT-UA. “Thus, during March 2025, at least three cyberattacks were recorded against government agencies and critical infrastructure facilities of Ukraine, aimed at collecting and stealing information from computers using appropriate software tools.”

Since fall 2024, threat actor used compromised accounts to send emails with links (e.g., DropMeFiles, Google Drive) leading to VBScript loaders that download PowerShell scripts. These scripts search for sensitive files and take screenshots for exfiltration via cURL. Attackers used NSIS installers with decoy files and IrfanView. Notably, from 2025 onwards, the screenshot functionality shifted to being powered by PowerShell. Targets included file types like .doc, .pdf, .xls, .png, and more.

The primary tool used for stealing files, tracked as WRECKSTEEL, has versions in VBScript and PowerShell. Since the stealers are not persistent, any signs of cyberattacks should be reported to CERT-UA immediately for prompt cyber protection measures.

CERT-UA

The report includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)