UAC-0099 Hackers Weaponize HTA Files to Deploy MATCHBOIL Loader Malware

UAC-0099 is a threat actor organization that has been targeting state officials, defense forces, and defense-industrial firms in a series of sophisticated cyberattacks that Ukraine’s CERT-UA has been investigating.

The attacks typically initiate with phishing emails from UKR.NET addresses, featuring subjects like “court summons” and links to legitimate file-sharing services, often shortened via URL shorteners.

These links lead to double-archived files containing malicious HTML Application (HTA) files.

Targeting Ukrainian Defense

Upon execution, the HTA files deploy obfuscated VBScript that creates temporary text files with HEX-encoded data and PowerShell code, alongside a scheduled task named “PdfOpenTask.”

This task executes the PowerShell script, which decodes the data into a .txt file, renames it to an executable like “AnimalUpdate.exe,” and sets up another scheduled task “AnimalSoftUpdateAnimalSoftware” to ensure persistence.

This chain deploys the MATCHBOIL loader, potentially replacing earlier variants like LONEPAGE, and facilitates the loading of additional payloads such as the MATCHWOK backdoor and DRAGSTARE stealer.

CERT-UA notes that UAC-0099’s shifting tactics, techniques, and procedures underscore the group’s persistent evolution, adapting to defenses while maintaining a focus on espionage and data exfiltration in Ukraine’s critical sectors.

Technical Breakdown of Malware Components

Developed in C#, MATCHBOIL serves as a loader that gathers system fingerprints including CPU ProcessorId via WMI queries (e.g., “BFEBFBFF000806EA”), BIOS SerialNumber, username, and MAC address concatenating them into an “SN” HTTP header for command-and-control (C2) communications.

It employs HTTP GET requests to URIs like “/articles/images/forest.jpg” on servers such as geostat[.]lat, extracting payloads via regex patterns for “”, followed by HEX and BASE64 decoding.

The payload is saved with a .com extension (e.g., “%LOCALAPPDATA%DevicesMonitordevicemonitor.com”) and persisted through registry Run keys or scheduled tasks like “DocumentTask.”

MATCHWOK, another C# backdoor, executes PowerShell commands by compiling .NET assemblies at runtime, renaming powershell.exe, and routing commands via STDIN, with results exfiltrated over HTTPS to C2 addresses stored in config.ini files.

Commands are AES-256 encrypted within

The DRAGSTARE stealer, also in C#, collects extensive system data computer name, OS version, RAM, disk details, network interfaces, ARP tables, and active TCP connections while stealing browser credentials from Chrome and Mozilla via DPAPI decryption of files like logins.json.

It recursively scans directories like Desktop and Downloads for file types such as .docx, .pdf, and .ovpn, archiving them in ZIP format for exfiltration from staging folders like “%LOCALAPPDATA%NordDragonScan.”

Anti-VM checks and registry-based persistence via keys like ‘NordStar’ enhance evasion. C2 interactions involve encrypted, BASE64-encoded requests to static URLs, with flag files (e.g., “s1.txt” for system info collection) marking operational stages.

These tools highlight UAC-0099’s modular approach, blending loaders, backdoors, and stealers for sustained access and data theft.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free