Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

WRECKSTEEL

WRECKSTEEL is a PowerShell-based stealer/backdoor malware used in 2025 cyber-espionage campaigns against Ukraine and attributed by CERT-UA to the threat cluster UAC-0219. Reporting describes it as part of a short-duration "Steal & Go" intrusion model focused on rapid data theft rather than long-term persistence. It has been observed stealing data, taking screenshots, and exfiltrating sensitive information. Multiple sources in the provided content state that its PowerShell scripts were likely generated or assisted by AI tools. Delivery is described as phishing-driven: compromised email accounts sent messages containing links to legitimate services such as DropMeFiles and Google Drive, sometimes embedded in PDF attachments, and WRECKSTEEL was also delivered by a VBS script attached to or triggered by a malicious phishing message. The malware has been used against Ukrainian state administration bodies, critical infrastructure facilities, critical sectors, and the Ukrainian armed forces. The content consistently associates WRECKSTEEL with Russian state-backed cyber activity targeting Ukraine, especially during March 2025 and the first half of 2025. No specific file hashes or other unique IoCs for WRECKSTEEL are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAC-0219

UAC-0219 VBS → PS stealer (WRECKSTEEL) Partial, no LNK component

via breakglass intelintel.breakglass.tech
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1485Data DestructionEvidence1

Several intrusions led to the deployment of destructive wiper malware... Malware ZEROLOT Wiper malware linked to Sandworm Malware PathWiper Wiper malware targeting Ukrainian organizations

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Destructive and exfiltration malware used in 2025 campaigns.

Read more
breakglass intelNews
Mar 5, 2026
Dissecting a Ukraine-Targeted LNK Campaign: Cyrillic Homoglyphs, Fileless PowerShell, and Bulletproof Hosting - Breakglass Intelligence - Breakglass Intelligence

Stealer malware referenced in comparison to another campaign using a VBS to PowerShell chain.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Malware used in phishing-driven attacks against Ukrainian state administration bodies and critical infrastructure to steal sensitive data.

Read more
securityaffairsNews
Oct 10, 2025
Ukraine sees surge in AI-Powered cyberattacks by Russia-linked Threat Actors

WRECKSTEEL is a stealer malware used to exfiltrate data and take screenshots from infected systems. It is likely enhanced with AI-generated PowerShell scripts for improved evasion or automation.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.