Listen to this Post

In a relentless wave of cyberattacks, the Ukrainian National Cybersecurity team CERT-UA has uncovered a highly sophisticated phishing campaign targeting government agencies, military forces, and defense industry enterprises. The threat actor behind this campaign, known as UAC-0099, is employing advanced malware strains such as MATCHBOIL, MATCHWOK, and DRAGSTARE to infiltrate and maintain persistent control over critical systems. This operation not only underscores the rising cyber warfare tensions in the ongoing Ukraine conflict but also highlights the evolving complexity of modern cyber threats aimed at state-level targets.
The attacks begin with carefully crafted phishing emails, often disguised under urgent titles like “court summons” and sent through legitimate Ukrainian email services like UKR.NET. These emails lure victims into clicking links that lead to legitimate file-hosting services, where a double-layered archive containing an HTA (HTML Application) file awaits. Once opened, this HTA file runs heavily obfuscated VBScript code designed to drop malicious files onto the system and schedule tasks that execute encoded PowerShell scripts. These scripts then decode and deploy a file renamed “AnimalUpdate.exe,” which activates the MATCHBOIL loader—a malware designed for stealthy, long-term access.
MATCHBOIL itself is a C-based loader that collects detailed system information—such as CPU ID, BIOS serial numbers, usernames, and MAC addresses—and uses this data to communicate with command-and-control (C2) servers. The loader downloads additional payloads disguised within image-like URIs, decoding them from hexadecimal and Base64 formats before saving them as executable files. To maintain persistence, MATCHBOIL creates scheduled tasks and stores server details in local configuration files. This loader is crucial in delivering other malware like MATCHWOK, a powerful backdoor that runs encrypted PowerShell commands compiled dynamically and transmitted via HTTPS, and DRAGSTARE, a stealer designed to harvest browser data, documents, and credentials.
The MATCHWOK backdoor stands out for its anti-analysis features—it actively detects forensic tools such as IDA Pro, Wireshark, and Process Monitor, terminating itself to avoid detection. Meanwhile, DRAGSTARE is adept at evading virtual machines, running PowerShell commands received from its server, and systematically exfiltrating valuable data by tracking its theft progress through flag files.
Since mid-2022, UAC-0099 has relentlessly targeted Ukraine, including Ukrainian nationals working for companies abroad. The group’s tactics have evolved rapidly; in late 2023, they exploited a critical vulnerability in WinRAR (CVE-2023-38831) to deliver the LONEPAGE malware, showing their capability to pivot and leverage newly discovered software flaws. CERT-UA’s detailed report provides cyber threat indicators essential for defense and detection, emphasizing the urgency for vigilance among Ukraine’s government and defense sectors.
What Undercode Say:
The UAC-0099 campaign is a textbook example of modern cyber espionage combined with targeted malware deployment, reflecting the broader geopolitical tensions in Eastern Europe. The sophistication of the attack chain—from social engineering through phishing to multi-stage malware payload delivery—exemplifies how persistent threat actors have adapted to evade traditional cybersecurity defenses.
One of the campaign’s most alarming aspects is the use of legitimate services and obfuscated scripting to mask initial infection vectors, making detection difficult for casual users and even some security tools. The layering of VBScript, PowerShell encoding, and scheduled tasks shows a deep understanding of Windows internals and system automation, allowing attackers to maintain stealth and persistence over long periods.
MATCHBOIL’s capability to fingerprint victim machines and hide payloads in seemingly innocent image data demonstrates the increasing complexity of malware communication techniques. The dynamic runtime compilation feature in MATCHWOK, along with its encrypted command channels, illustrates a trend towards modular, on-demand execution frameworks that minimize attack footprints and complicate forensic analysis.
DRAGSTARE’s broad data harvesting—from browsers to document archives—indicates a clear espionage focus, likely aimed at extracting sensitive political, military, or industrial intelligence. The actor’s awareness to evade virtual machines and common analysis tools suggests a well-resourced group with access to advanced cyber operations knowledge.
From a strategic standpoint, UAC-0099’s targeting of both domestic Ukrainian entities and expatriate employees working abroad shows a multi-front approach designed to gather intelligence and potentially disrupt defense capabilities. The use of zero-day exploits and ongoing refinement of malware toolsets signals this is not a low-level hacking group but a persistent, capable adversary—possibly state-sponsored or at least aligned with geopolitical objectives in the Russia-Ukraine conflict.
For cybersecurity teams, this report underlines the critical importance of comprehensive phishing awareness, network segmentation, and continuous monitoring for anomalous task scheduling and PowerShell execution. Defenses must evolve beyond signature-based detection to behavior analytics and threat hunting tailored for stealthy, multi-stage malware attacks.
Fact Checker Results:
✅ CERT-UA’s report and timeline of UAC-0099 attacks align with independent cybersecurity research confirming ongoing cyber espionage against Ukrainian state sectors.
✅ The technical details of MATCHBOIL, MATCHWOK, and DRAGSTARE have been cross-verified with malware analysis databases.
✅ The exploitation of CVE-2023-38831 by UAC-0099 has been publicly documented by multiple cybersecurity firms in late 2023.
📊 Prediction:
As geopolitical tensions persist, cyberattacks by groups like UAC-0099 will likely intensify in both frequency and sophistication. Future campaigns may incorporate more zero-day exploits and increasingly stealthy, AI-enhanced malware to bypass defenses. Organizations in conflict zones, especially in critical infrastructure sectors, must prioritize proactive threat hunting and invest in next-gen endpoint detection systems. Additionally, the use of legitimate cloud services for hosting malicious payloads will complicate attribution and takedown efforts, making international cybersecurity cooperation vital to counter these state-level cyber threats.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




