CERT-UA has issued a new alert on targeted phishing attacks dropping malware through files directed at Ukraine’s defense and government sectors.
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a wave of cyberattacks by the threat actor UAC-0099. The group targets Ukrainian government agencies, defense forces, and defense-related enterprises using phishing emails designed to look like court summons notifications.
These phishing emails, sent from UKR.NET addresses, include shortened links (via services like Cuttly) that direct users to double-archived files containing HTA (HTML Application) files. When executed, the HTA file launches an obfuscated Visual Basic Script, which creates a scheduled task for persistence and then runs a C#-based loader called MATCHBOIL. MATCHBOIL proceeds to deploy two additional malware tools: MATCHWOK (a backdoor) and DRAGSTARE (an information stealer).
UAC-0099 was first documented by CERT-UA in 2023 and has a known history of espionage targeting Ukrainian organizations. In previous campaigns, the group exploited vulnerabilities like CVE-2023-38831 in WinRAR to deliver malware such as LONEPAGE.
In this new campaign, MATCHWOK allows attackers to execute PowerShell commands and send the results to a remote server, enabling remote access and control. DRAGSTARE is designed to steal browser data, documents, screenshots, and system information, as well as execute attacker-supplied PowerShell commands.
These tools give attackers extensive access to compromised machines and demonstrate advanced malware engineering using C#.
CERT-UA has urged organizations within Ukraine’s public and defense sectors to remain vigilant against phishing lures disguised as legal correspondence. Security researchers also note the continued evolution of UAC-0099’s techniques and toolset.
The warning from CERT-UA comes shortly after a separate report from ESET detailing Gamaredon’s 2024 campaigns, which also used spear-phishing and HTA-based payloads to deploy a suite of custom malware designed for persistence and stealth.
According to The Hacker News, ESET still considers Gamaredon “a significant threat actor” despite capacity limits and the retirement of older tools, citing its “continuous innovation, aggressive spearphishing campaigns, and persistent efforts to evade detections.” The same persistence and adaptability are evident in UAC-0099’s latest activity, proving the sustained cyberespionage pressure facing Ukraine’s government and defense sectors.
An HTA (HTML Application) file is an executable file containing HTML and scripting code. It allows attackers to bypass some security restrictions and execute malicious scripts directly on the target system.
MATCHBOIL is a C#-based loader that installs further malware onto the victim’s system. It’s designed to establish persistence and enable data exfiltration through tools like MATCHWOK and DRAGSTARE.
Shortened URLs (e.g., via Cuttly) are used to disguise malicious links in phishing emails, making it harder for recipients and security systems to detect the threat.
Both groups rely on phishing and script-based delivery methods, but UAC-0099 uses newer C# malware and HTA payloads, while Gamaredon stresses PowerShell and VBScript tools with long-term espionage objectives.