UAC‑0099, a complicated menace actor group that has been energetic since at the very least 2022, continues to pose a big cybersecurity menace via its evolving cyber-espionage campaigns focusing on Ukrainian authorities businesses, army organizations, and defense-industrial entities.
The group has demonstrated exceptional adaptability throughout three main operational phases spanning 2023 to 2025, systematically refining its toolkit whereas sustaining constant core ways which have confirmed efficient towards its meant targets.
The menace actor’s preliminary emergence was marked by the deployment of LONEPAGE, a PowerShell-based loader that served as the inspiration for his or her malicious operations all through 2022 and 2023.
This early incarnation established UAC‑0099’s desire for spear-phishing emails containing malicious attachments, significantly these masquerading as authorized paperwork akin to subpoenas or court docket summons.
The group’s capacity to leverage social engineering ways, mixed with their technical sophistication, has enabled them to efficiently compromise high-value targets throughout Ukraine’s essential infrastructure sectors.
By late 2024, UAC‑0099 had considerably developed their supply mechanisms, incorporating exploitation of the WinRAR vulnerability CVE-2023-38831 alongside their conventional phishing approaches.
SIMKRA, an analyst and researcher, famous that this transition interval marked a vital shift within the group’s operational methodology, introducing a extra complicated two-stage loader method that enhanced their evasion capabilities.
Campaigns in sequence (Supply – Medium)
The attackers started encrypting their PowerShell payloads utilizing 3DES encryption and storing them in information akin to app.lib.conf, whereas using .NET binary parts like replace.win.app.com to decrypt and execute the malicious code in reminiscence.
Essentially the most dramatic transformation occurred in mid-2025 with the introduction of a completely new C# malware suite comprising MATCHBOIL, MATCHWOK, and DRAGSTARE.
This represents an entire overhaul of their technical infrastructure, demonstrating the group’s dedication to sustaining operational effectiveness regardless of rising safety consciousness and defensive measures.
Assault Circulate completely different campaigns, similar TTPs for PowerShell, Ingress Device Switch, Registry Run Keys and Exfiltration and so on (Supply – Medium)
The brand new toolkit showcases enhanced sophistication in command and management communications, information exfiltration capabilities, and anti-analysis options designed to thwart safety researchers and automatic detection programs.
Superior Persistence and Evasion Mechanisms
UAC‑0099’s persistence ways reveal a complicated understanding of Home windows working system structure and customary administrative practices.
The group persistently employs scheduled duties as their major persistence mechanism, creating duties with deceptively legit names akin to “OneDriveUpdateCoreFilesStart” and “FileExplorerUpdateTaskMachineCore” that mix seamlessly into typical system upkeep actions.
These duties are programmed to execute at frequent intervals, typically each 3-4 minutes, guaranteeing steady malware operation whereas sustaining a low profile.
The 2025 MATCHBOIL loader exemplifies their superior obfuscation methods via its multi-layered encoding method.
The malware retrieves payloads hidden inside seemingly innocuous internet content material, particularly trying to find information embedded between script tags that bear each HEX and Base64 decoding processes:-
This system permits the malware to disguise command and management communications as legit internet site visitors, making detection considerably tougher for community safety monitoring programs.
MATCHBOIL additional enhances its stealth capabilities by producing distinctive host identifiers utilizing CPU ID, BIOS serial numbers, and MAC addresses, that are transmitted through customized HTTP headers labeled “SN” throughout command and management communications.
The group’s masquerading methods prolong past easy filename obfuscation to incorporate strategic placement of malicious information in directories that mimic legit system places.
Information are generally saved in paths akin to %LOCALAPPDATApercentDevicesMonitor and %APPDATApercentMicrosoftWindowsTemplates, leveraging consumer familiarity with Microsoft’s listing constructions to keep away from suspicion.
Moreover, UAC‑0099 demonstrates consciousness of safety software detection by incorporating anti-analysis checks for widespread debugging and monitoring processes together with idaq, fiddler, wireshark, and ollydbg, inflicting their malware to change habits or terminate when such instruments are detected.
Equip your SOC with full entry to the newest menace information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
