Recent Cyber Campaign Targeting Critical Ukrainian Data Repositories: Malware Variant HOMESTEEL by Threat Actor UAC-0218

A recent cyber campaign by the threat actor tracked as UAC-0218 has raised alarms in Ukraine, as a new malware variant named HOMESTEEL targets critical data repositories in the country. Ukraine’s Computer Emergency Response Team (CERT-UA) flagged this offensive, signaling a familiar tactic used by adversaries to steal sensitive information from government and business networks.

The phishing methods employed in this campaign involve emails with subject lines like “account” and “details,” leading recipients to a deceptive “eDisk” platform link. Upon clicking, users unwittingly download RAR files containing password-protected documents labeled as “Contract20102024.doc” and “Invoice20102024.xlsx.” A hidden Visual Basic Script file, “Password.vbe,” then triggers HOMESTEEL’s data extraction process.

HOMESTEEL goes beyond traditional malware by selectively targeting specific file types – such as xls, xlsx, doc, and pdf – within user directories. By utilizing HTTP PUT requests, the malware transfers extracted files under 10MB to an external server, evading detection while maximizing data collection.

Moreover, HOMESTEEL adapts to proxy settings on compromised systems, masking its network traffic and facilitating persistent surveillance. The malware relies on PowerShell commands to perform additional file reconnaissance, scouring directories for specific extensions and transferring files via HTTP POST requests for centralized storage.

The campaign’s infrastructure tactics link it to previous attacks back to August 2024, showcasing a pattern of using shared components and domain registrations for increased efficiency. As Ukraine continues to face evolving cyber threats, CERT-UA’s proactive monitoring of UAC-0218 highlights the importance of detecting and mitigating sophisticated malware campaigns like HOMESTEEL.