UAC‑0099, a sophisticated threat actor group that has been active since at least 2022, continues to pose a significant cybersecurity threat through its evolving cyber-espionage campaigns targeting Ukrainian government agencies, military organizations, and defense-industrial entities.
The group has demonstrated remarkable adaptability across three major operational phases spanning 2023 to 2025, systematically refining its toolkit while maintaining consistent core tactics that have proven effective against its intended targets.
The threat actor’s initial emergence was marked by the deployment of LONEPAGE, a PowerShell-based loader that served as the foundation for their malicious operations throughout 2022 and 2023.
This early incarnation established UAC‑0099’s preference for spear-phishing emails containing malicious attachments, particularly those masquerading as legal documents such as subpoenas or court summons.
The group’s ability to leverage social engineering tactics, combined with their technical sophistication, has enabled them to successfully compromise high-value targets across Ukraine’s critical infrastructure sectors.
By late 2024, UAC‑0099 had significantly evolved their delivery mechanisms, incorporating exploitation of the WinRAR vulnerability CVE-2023-38831 alongside their traditional phishing approaches.
SIMKRA, an analyst and researcher, noted that this transition period marked a crucial shift in the group’s operational methodology, introducing a more complex two-stage loader approach that enhanced their evasion capabilities.
.webp "UAC‑0099 Tactics, Techniques, Procedures and Attack Methods Unveiled 4")
The attackers began encrypting their PowerShell payloads using 3DES encryption and storing them in files such as app.lib.conf, while utilizing .NET binary components like update.win.app.com to decrypt and execute the malicious code in memory.
The most dramatic transformation occurred in mid-2025 with the introduction of an entirely new C# malware suite comprising MATCHBOIL, MATCHWOK, and DRAGSTARE.
This represents a complete overhaul of their technical infrastructure, demonstrating the group’s commitment to maintaining operational effectiveness despite increasing security awareness and defensive measures.
.webp "UAC‑0099 Tactics, Techniques, Procedures and Attack Methods Unveiled 5")
The new toolkit showcases enhanced sophistication in command and control communications, data exfiltration capabilities, and anti-analysis features designed to thwart security researchers and automated detection systems.
Advanced Persistence and Evasion Mechanisms
UAC‑0099’s persistence tactics reveal a sophisticated understanding of Windows operating system architecture and common administrative practices.
The group consistently employs scheduled tasks as their primary persistence mechanism, creating tasks with deceptively legitimate names such as “OneDriveUpdateCoreFilesStart” and “FileExplorerUpdateTaskMachineCore” that blend seamlessly into typical system maintenance activities.
These tasks are programmed to execute at frequent intervals, often every 3-4 minutes, ensuring continuous malware operation while maintaining a low profile.
The 2025 MATCHBOIL loader exemplifies their advanced obfuscation techniques through its multi-layered encoding approach.
The malware retrieves payloads hidden within seemingly innocuous web content, specifically searching for data embedded between script tags that undergo both HEX and Base64 decoding processes:-
This technique allows the malware to disguise command and control communications as legitimate web traffic, making detection significantly more challenging for network security monitoring systems.
MATCHBOIL further enhances its stealth capabilities by generating unique host identifiers using CPU ID, BIOS serial numbers, and MAC addresses, which are transmitted via custom HTTP headers labeled “SN” during command and control communications.
The group’s masquerading techniques extend beyond simple filename obfuscation to include strategic placement of malicious files in directories that mimic legitimate system locations.
Files are commonly stored in paths such as %LOCALAPPDATA%DevicesMonitor and %APPDATA%MicrosoftWindowsTemplates, leveraging user familiarity with Microsoft’s directory structures to avoid suspicion.
Additionally, UAC‑0099 demonstrates awareness of security tool detection by incorporating anti-analysis checks for common debugging and monitoring processes including idaq, fiddler, wireshark, and ollydbg, causing their malware to modify behavior or terminate when such tools are detected.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
