CERT-UA Exposes UAC-0099: New Backdoor Toolkit Targets Ukraine’s Defense with Phishing & Stealthy Malware

In a concerning escalation of cyber aggression, Ukraine’s National Cyber Security Incidents Response Team (CERT-UA) has uncovered a sophisticated new campaign by the threat group UAC-0099 targeting government agencies and organizations within Ukraine’s defence-industrial complex.

This latest wave of intrusions highlights the evolving capabilities of state-aligned threat actors and underlines the persistent cyber threat faced by critical infrastructure. According to CERT-UA’s findings, the attackers have introduced a revamped toolkit consisting of three custom malware strains—MATCHBOIL, MATCHWOK, and DRAGSTARE—each playing a distinct role in a carefully crafted multi-stage intrusion chain.

The operation begins with a phishing campaign impersonating legal institutions.

“The attack commences with phishing emails, frequently masquerading as official documents such as ‘court summonses’,” CERT-UA reports.

Victims are lured into clicking a link—often shortened—that leads to a legitimate file-sharing service. The download delivers a ZIP archive containing a malicious HTA file, which initiates the infection chain once executed.

The embedded VBScript in the HTA drops two files on the host: one HEX-encoded payload and another PowerShell loader. A scheduled task ensures their execution, leading to the activation of the first-stage malware.

MATCHBOIL (Loader)

This component acts as the delivery mechanism for the main malware.

“MATCHBOIL collects basic system information… to identify the victim on the command-and-control server. It then downloads the next component of the attack, saves it as a COM file, and creates a registry key to ensure its automatic execution.”

System reconnaissance includes CPU ID, BIOS serial, MAC address, and username.

MATCHWOK (Backdoor)

Once embedded, MATCHWOK gives attackers full remote control through PowerShell.

“Commands are received from the command-and-control server in an encrypted format and are executed via the PowerShell interpreter, which the program first renames and moves.”

The backdoor is hardened with anti-analysis features, including detection of tools like Wireshark, Fiddler, and Procmon, helping it evade security researchers and analysts.

DRAGSTARE (Stealer)

DRAGSTARE is the group’s data-exfiltration engine, designed to steal high-value information from compromised systems.

“This malware conducts comprehensive data collection… including authentication data from Chrome and Firefox, and documents with extensions such as .docx, .pdf, .ovpn, .rdp, and .txt.”

Sensitive files are recursively searched across the desktop, documents, and downloads directories, then zipped and sent to attacker-controlled servers.

With MATCHBOIL, MATCHWOK, and DRAGSTARE, the UAC-0099 group demonstrates a significant leap in both sophistication and modularity.

Organizations operating in sensitive sectors—particularly defense, government, and research—must be especially vigilant.

“The group’s primary targets are the state authorities of Ukraine, units of the Defence Forces, and enterprises operating in the interests of the defence-industrial complex,” CERT-UA emphasized.

Related Posts:

• Threat Actor “UAC-0099”: Exploiting CVE-2023-38831 Against Ukraine
• Cybercriminals Exploit AnyDesk to Impersonate CERT-UA in Sophisticated Phishing Campaign
• CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
• Sandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave
• The DaVinci Group: Russia’s Cyber Mercenaries Target Ukraine