“`html
UAC‑0099, a sophisticated threat actor collective that has been operational since at least 2022, continues to represent a serious cybersecurity hazard through its evolving cyber-espionage initiatives aimed at Ukrainian governmental entities, military establishments, and defense-industrial organizations.
The group has shown remarkable flexibility through three major operational stages from 2023 to 2025, consistently enhancing its arsenal while upholding stable core strategies that have been effective against its targeted victims.
The threat actor’s preliminary appearance was highlighted by the usage of LONEPAGE, a PowerShell-based loader that served as the backbone of their illicit activities throughout 2022 and 2023.
This initial form established UAC‑0099’s inclination towards spear-phishing emails with harmful attachments, particularly those masquerading as legal documents like subpoenas or court notices.
The group’s capability to exploit social engineering techniques, combined with their technological sophistication, has allowed them to effectively breach high-value targets across Ukraine’s essential infrastructure sectors.
By late 2024, UAC‑0099 had considerably advanced their delivery methods, integrating the exploitation of the WinRAR vulnerability CVE-2023-38831 alongside their conventional phishing tactics.
SIMKRA, a researcher and analyst, observed that this transitional phase marked a significant shift in the group’s operational tactics, introducing a more intricate two-stage loader model that enhanced their obfuscation capabilities.
.webp)
The attackers commenced encrypting their PowerShell payloads with 3DES encryption and storing them in files such as app.lib.conf, while utilizing .NET binary components like update.win.app.com to decrypt and run the illicit code in memory.
The most significant change occurred in mid-2025 with the rollout of a completely new C# malware suite including MATCHBOIL, MATCHWOK, and DRAGSTARE.
This represents a total revamp of their technical framework, showcasing the group’s commitment to sustaining operational efficacy despite rising security awareness and countermeasures.
.webp){kind=spacer}
The revamped toolkit exhibits advanced sophistication in command and control interactions, data exfiltration capabilities, and anti-analysis features designed to thwart security analysts and automated detection systems.
Advanced Persistence and Evasion Mechanisms
UAC‑0099’s persistence methods indicate a refined understanding of Windows operating system frameworks and prevalent administrative practices.
The collective consistently utilizes scheduled tasks as their primary persistence method, crafting tasks with deceptively legitimate titles such as “OneDriveUpdateCoreFilesStart” and “FileExplorerUpdateTaskMachineCore” that blend seamlessly into routine system maintenance activities.
These tasks are designed to execute frequently, often every 3-4 minutes, ensuring continuous malware operation while preserving a low profile.
The 2025 MATCHBOIL loader exemplifies their refined obfuscation methods through its layered encoding strategy.
The malware retrieves payloads concealed within superficially innocent web content, particularly seeking data embedded within script tags that undergo HEX and Base64 decoding processes:
This strategy allows the malware to mask command and control communications as genuine web traffic, significantly complicating detection for network security monitoring systems.
MATCHBOIL further augments its stealth capabilities by generating unique host identifiers based on CPU ID, BIOS serial numbers, and MAC addresses, which are sent through custom HTTP headers labeled “SN” during command and control interactions.
The group’s masquerading methods extend beyond simple filename obfuscation to include the strategic placement of harmful files in directories that imitate legitimate system locations.
Files are commonly located in paths such as %LOCALAPPDATA%DevicesMonitor and %APPDATA%MicrosoftWindowsTemplates, leveraging user familiarity with Microsoft’s directory structures to avoid arousing suspicion.
Moreover, UAC‑0099 demonstrates awareness of detection by security tools through the integration of anti-analysis checks against common debugging and monitoring processes including idaq, fiddler, wireshark, and ollydbg, causing their malware to alter behavior or terminate upon detection of such tools.
“`