А new wave of cyberattacks has discovered on Ukrainian government agencies. Attackers are posing as drone manufacturers and government agencies, sending phishing emails with the aim of spying and stealing data.
Since February 2025, an unknown group, dubbed UAC-0226, has been actively attacking the Armed Forces of Ukraine, law enforcement agencies, and local authorities. Most cases have been recorded in the eastern regions, near the Russian border.
Hackers send emails with infected documents, the subjects of which imitate official notifications about demining, fines, drones, or compensation. Mailboxes are hacked or replaced, which makes it difficult to detect the threat.
A script from GitHub is used for infection, as well as the malicious program GiftedCrook, which steals browsing history, cookies and passwords from Chrome, Edge and Firefox browsers. All stolen information is automatically sent to Telegram bots.
In parallel, CERT-UA recorded the activity of another malware – Wrecksteel. It spreads through public file sharing sites (DropMeFiles, Google Drive) and allows attackers to receive documents, photos, presentations and even take screenshots of infected devices.
Such attacks are an example of classic hybrid warfare, where email and social engineering are combined with open tools like GitHub. The enemy demonstrates a systemic understanding of the internal processes of Ukrainian institutions and uses topics and formulations that inspire trust among employees.
UAC-0226 operates anonymously, automatically and using publicly available tools, which makes detection difficult. Attacks are especially dangerous for strategic objects that are in a high-risk zone. To mitigate the threat, it is important to raise employee awareness, strengthen control over email attachments, implement two-factor authentication, and monitor suspicious activity on Telegram.
135 
116 
106 