UAC-0099 Hackers Weaponize HTA Information to Deploy MATCHBOIL Loader Malware

UAC-0099 is a risk actor group that has been concentrating on state officers, protection forces, and defense-industrial companies in a sequence of subtle cyberattacks that Ukraine’s CERT-UA has been investigating.

The assaults sometimes provoke with phishing emails from UKR.NET addresses, that includes topics like “court docket summons” and hyperlinks to legit file-sharing companies, typically shortened by way of URL shorteners.

These hyperlinks result in double-archived information containing malicious HTML Utility (HTA) information.

Focusing on Ukrainian Protection

Upon execution, the HTA information deploy obfuscated VBScript that creates momentary textual content information with HEX-encoded knowledge and PowerShell code, alongside a scheduled process named “PdfOpenTask.”

This process executes the PowerShell script, which decodes the information right into a .txt file, renames it to an executable like “AnimalUpdate.exe,” and units up one other scheduled process “AnimalSoftUpdateAnimalSoftware” to make sure persistence.

This chain deploys the MATCHBOIL loader, probably changing earlier variants like LONEPAGE, and facilitates the loading of extra payloads such because the MATCHWOK backdoor and DRAGSTARE stealer.

CERT-UA notes that UAC-0099’s shifting techniques, methods, and procedures underscore the group’s persistent evolution, adapting to defenses whereas sustaining a concentrate on espionage and knowledge exfiltration in Ukraine’s essential sectors.

Technical Breakdown of Malware Elements

Developed in C#, MATCHBOIL serves as a loader that gathers system fingerprints together with CPU ProcessorId by way of WMI queries (e.g., “BFEBFBFF000806EA”), BIOS SerialNumber, username, and MAC deal with concatenating them into an “SN” HTTP header for command-and-control (C2) communications.

It employs HTTP GET requests to URIs like “/articles/pictures/forest.jpg” on servers akin to geostat[.]lat, extracting payloads by way of regex patterns for “”, adopted by HEX and BASE64 decoding.

The payload is saved with a .com extension (e.g., “%LOCALAPPDATApercentDevicesMonitordevicemonitor.com”) and persevered by registry Run keys or scheduled duties like “DocumentTask.”

MATCHWOK, one other C# backdoor, executes PowerShell instructions by compiling .NET assemblies at runtime, renaming powershell.exe, and routing instructions by way of STDIN, with outcomes exfiltrated over HTTPS to C2 addresses saved in config.ini information.

Instructions are AES-256 encrypted inside

The DRAGSTARE stealer, additionally in C#, collects intensive system knowledge pc identify, OS model, RAM, disk particulars, community interfaces, ARP tables, and lively TCP connections whereas stealing browser credentials from Chrome and Mozilla by way of DPAPI decryption of information like logins.json.

It recursively scans directories like Desktop and Downloads for file sorts akin to .docx, .pdf, and .ovpn, archiving them in ZIP format for exfiltration from staging folders like “%LOCALAPPDATApercentNordDragonScan.”

Anti-VM checks and registry-based persistence by way of keys like ‘NordStar’ improve evasion. C2 interactions contain encrypted, BASE64-encoded requests to static URLs, with flag information (e.g., “s1.txt” for system data assortment) marking operational levels.

These instruments spotlight UAC-0099’s modular method, mixing loaders, backdoors, and stealers for sustained entry and knowledge theft.

Indicators of Compromise (IOCs)

The Final SOC-as-a-Service Pricing Information for 2025– Obtain for Free