UAC-0099 Hackers Weaponizing HTA Files to Deliver MATCHBOIL Loader Malware

The Ukrainian threat intelligence group UAC-0099 has significantly evolved its cyber warfare capabilities, deploying a sophisticated new malware toolkit targeting Ukrainian state authorities, Defense Forces, and defense industrial enterprises.

The National Cyber Incident Response Team CERT-UA has documented a series of coordinated attacks employing HTA (HTML Application) files as the primary delivery mechanism for the newly identified MATCHBOIL loader malware.

These attacks begin with carefully crafted phishing emails, predominantly sent from UKR.NET addresses, masquerading as official court summons.

The emails contain links to legitimate file-sharing services, including shortened URLs, which redirect victims to download double-archived files containing malicious HTA components.

This social engineering approach exploits the perceived legitimacy of legal documentation to bypass initial user suspicion.

CERT-UA analysts identified that the HTA files contain heavily obfuscated VBScript designed to establish multiple persistence mechanisms on compromised systems.

Upon execution, the malicious script creates several critical files including “documenttemp.txt” containing HEX-encoded data, “temporarydoc.txt” with PowerShell code, and establishes a scheduled task named “PdfOpenTask” for sustained system access.

The threat actors have developed a multi-component malware ecosystem consisting of three primary tools: MATCHBOIL serves as the initial loader, MATCHWOK functions as a backdoor for remote command execution, and DRAGSTARE operates as a comprehensive data stealer.

This trinity of malicious software demonstrates the group’s advancement from previous campaigns and suggests a shift toward more persistent, multi-stage attack operations.

Infection Mechanism and Persistence Architecture

The MATCHBOIL loader, developed in C#, implements a sophisticated multi-stage deployment process that ensures persistent system compromise.

The initial HTA file execution triggers the creation of the scheduled task “PdfOpenTask” using the command:-

schtasks.exe /create /tn PdfOpenTask /tr "powershell.exe -WindowStyle Hidden -executionpolicy bypass -noprofile -c Invoke-Expression (Get-Content '%TMP%temporarydoc.txt' -Raw)" /sc once /st 12:02 /f

This task converts HEX-encoded data into executable bytes, writes them to “%PUBLIC%DownloadsAnimalUpdate.txt”, then moves the file to “AnimalUpdate.exe” while establishing another scheduled task “AnimalSoftUpdateAnimalSoftware” for execution.

The loader subsequently gathers system fingerprinting data including CPU hardware identifiers, BIOS serial numbers, and MAC addresses, transmitting this information via HTTP headers to command-and-control servers hosted on domains like egyptanimals[.]com and geostat[.]lat.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial