UAC-0099, a persistent threat actor active since at least 2022, has conducted sophisticated cyber-espionage operations against Ukrainian government, military, and defense entities, evolving its toolkit across three major campaigns documented in CERT-UA alerts from June 2023, December 2024, and August 2025.
Initially relying on the PowerShell-based LONEPAGE loader delivered via spear-phishing emails with malicious attachments like .LNK shortcuts and .HTA files disguised as legal subpoenas.
The group fetched secondary payloads such as THUMBCHOP for browser credential theft and CLOGFLAG for keylogging, while establishing persistence through scheduled tasks and registry run keys.
Cyber-Espionage Campaigns
By late 2024, UAC-0099 adapted by exploiting the WinRAR vulnerability CVE-2023-38831 for automatic execution upon archive extraction, transitioning LONEPAGE to a two-stage loader involving 3DES-encrypted PowerShell code decrypted by a .NET binary, and leveraging Cloudflare-proxied domains for resilient command-and-control (C2) communications over HTTP/HTTPS.
In 2025, the actor introduced a revamped C# malware suite MATCHBOIL as the primary loader, MATCHWOK for backdoor command execution, and DRAGSTARE for comprehensive data theft deployed via obfuscated VBScript in HTA files.
According to the report, it creates multiple scheduled tasks for decoding and persistent execution, reflecting a shift to modular, in-memory techniques while maintaining core tactics like Base64/hex obfuscation and masquerading as legitimate processes.
Mitigation Strategies
Mapped to the MITRE ATT&CK framework, UAC-0099’s tactics span initial access through spearphishing (T1566.001/.002), execution via user-triggered LOLBins like mshta.exe and PowerShell (T1059.001, T1218.005), and persistence using scheduled tasks mimicking system updates (T1053.005) with names such as “PdfOpenTask” or “UpdateAnimalSoftware,” alongside registry autoruns (T1547.001).
Defense evasion involves multi-layer encoding, process injection, and anti-analysis checks for debuggers like Wireshark, while credential access targets browser stores via DPAPI decryption (T1555.003), and discovery enumerates system/network details (T1082, T1016) for lateral movement.
C2 relies on encrypted web protocols (T1071.001, T1573) hidden in
Malware capabilities have consolidated: MATCHBOIL downloads payloads using custom HTTP headers like “SN” derived from hardware fingerprints, MATCHWOK executes AES-encrypted PowerShell commands from renamed interpreters, and DRAGSTARE steals files with sensitive extensions, screenshots, and reconnaissance data, staging them in folders like %LOCALAPPDATA%NordDragonScan.
Patterns include innocuous file names in user directories (%APPDATA%, %PUBLIC%) and task conventions blending terms like “Core” and “Update” to evade detection.
To counter these threats, organizations should restrict scripting utilities via AppLocker, enable PowerShell logging for encoded commands, monitor scheduled task creations (Event ID 4698), and hunt for anomalous HTTP traffic with unusual headers or domains.
Network segmentation, multi-factor authentication, and regular artifact scans using YARA rules for strings like anti-VM checks can disrupt persistence and exfiltration, ensuring early detection of this evolving actor’s operations.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
