UAC-0099 Attack Detection: Hackers Target Government and Defense Agencies in Ukraine Using MATCHBOIL, MATCHWOK, and DRAGSTARE Malware

The UAC-0099 hacking collective, active in cyber-espionage campaigns against Ukraine since mid-2022, has reemerged in the cyber threat arena. The CERT-UA team has recently investigated a series of cyber-attacks linked to the UAC-0099 group targeting government authorities, defense forces, and enterprises within Ukraine’s defense industry sector, leveraging the MATCHBOIL loader, the MATCHWOK backdoor, and the DRAGSTARE stealer.

Detect UAC-0099 Activity Using MATCHBOIL, MATCHWOK & DRAGSTARE Malware

The growing wave of highly persistent cyber-espionage campaigns leveraging phishing as the initial attack vector, adopting evolving TTPs, and linked to the UAC-0099 hacking group, encourages security teams to enhance cybersecurity awareness and strengthen their organizational defenses. To help organizations safeguard against emerging attacks by UAC-0099 leveraging targeting the public and defense sector and covered in the latest CERT-UA research, SOC Prime Platform has curated a dedicated list of relevant detection content.

Click the Explore Detections button to explore the entire collection of relevant Sigma rules mapped to MITRE ATT&CK®, enriched with actionable CTI and operational metadata, and ready to deploy in the selected language format compatible with your SIEM, EDR, and Data Lake in use. 

Explore Detections

Alternatively, security engineers can also apply the corresponding “MATCHBOIL,” “MATCHWOK,” or “DRAGSTARE” custom tags to search for dedicated detections against cyber-attacks covered in the latest CERT-UA heads-up. For more relevant detection content, teams can use the “UAC-0099” custom tag to enhance proactive defenses against the group’s persistent activity. 

Security engineers also use Uncoder AI to speed up IOC correlation and hunt for indicators linked to UAC-0099 threats based on the relevant CERT-UA research. The platform allows automatic conversion of IOCs from any non-binary format into custom hunting queries tailored to the selected SIEM or EDR solution. On the Generate tab in Uncoder AI, past threat intel, select Threat Report/IOCs > IOC Query, then select the platform, and instantly get the custom IOC query ready to run in your chosen environment. 

Rely on Uncoder AI to seamlessly convert IOCs from CERT-UA's threat report into custom hunting queries related to UAC-0099 attacks against Ukraine.

UAC-0099 Activity Analysis 

The nefarious UAC-0099 hacking collective has been launching cyber-espionage operations against Ukraine for over three years, mainly relying on a phishing attack vector to gain initial access and employing diverse adversary tools, including multiple malware samples, loaders, and stealers. Between 2022 and 2023, attackers obtained unauthorized remote access to numerous computers within Ukrainian entities, aiming to collect intelligence from the affected systems. During November–December 2024, defenders recorded a surge in the group’s malicious activity, targeting the Ukrainian public sector through phishing campaigns and deploying LONEPAGE malware.

On August 4, 2025, CERT-UA issued a novel alert notifying defenders of a wave of new cyber-attacks against Ukrainian state bodies, defense forces, and defense industry enterprises orchestrated by UAC-0099.

The initial attack stage involves the distribution of phishing emails, primarily sent via UKR.NET. These emails contain links to legitimate file-sharing services (sometimes shortened via URL shorteners), leading to the download of a double archive that includes an HTA file. The latter contains an additionally obfuscated VBScript that creates on the infected machine a text file with HEX-encoded data (“documenttemp.txt”), a text file with PowerShell code (“temporarydoc.txt”), and a scheduled task (“PdfOpenTask”).

The scheduled task “PdfOpenTask” is designed to read and execute the PowerShell code with the primary function to convert the HEX-encoded data into bytes, write them to a file with the “.txt” extension, rename the latter to an EXE file (“AnimalUpdate.exe”) in the same directory, and create a scheduled task to execute it.

As a result, the MATCHBOIL loader (likely replacing LONEPAGE) is deployed on the compromised system. Incident response revealed that additional tools, such as the MATCHWOK backdoor and the DRAGSTARE stealer, may also be downloaded onto the machine.

MATCHBOIL is a C #-based malware that downloads additional payloads to the infected machine and creates a registry key in the “Run” branch to enable their execution.

Upon execution, it collects basic system information, including the CPU hardware ID, BIOS serial number, username, and the network interface’s MAC address. These values are concatenated and used in the “SN” header of HTTP requests. MATCHBOIL communicates with the C2 server over HTTP, adding custom headers while the “User-Agent” header contains a hardcoded string. To download payloads, the malware issues an HTTP GET request to a specific URI, decodes them from HEX and BASE64, and writes them to a .com file. The C2 address is also retrieved via HTTP GET and stored in a configuration file. Persistence for MATCHBOIL is ensured by a scheduled task created during the initial execution of the HTA file delivered in the phishing email archive.

MATCHWOK is a C# backdoor designed to execute PowerShell commands by compiling .NET programs at runtime and passing the commands to the PowerShell interpreter via STDIN. The command output is saved to %TEMP%tempres and transmitted to the C2 server over HTTPS. The commands to be executed are AES-256 encrypted and embedded between <script> tags in a file or web page loaded by the backdoor. Persistence is ensured through the MATCHBOIL loader, which creates a registry key in the “Run”  branch. The backdoor leverages a set of anti-analysis techniques to stay under the radar, including checks for the presence of specific processes. 

Another malware from the group’s offensive toolkit observed in the latest campaign is DRAGSTARE, a C# information stealer. It collects extensive system data, including the computer name, username, OS version and architecture, number of logical processors, RAM size, disk name, type, total and free space, network interface details, results of local network host pings, a list of active TCP connections, and more.

This malware implements credential theft from Chrome and Mozilla browsers, including decrypted encryption keys, SQLite databases, and files such as key4.db, cert9.db, logins.json, and pkcs11.txt, extracting authentication data like logins, passwords, and cookies.

DRAGSTARE recursively searches for files with specific extensions within Desktop, Documents, and Downloads directories, moves them to a staging directory, archives them into a ZIP file, and exfiltrates them. Additionally, it executes PowerShell commands received from the C2 server in a separate thread. 

DRAGSTARE also applies evasion techniques to avoid detection, such as anti-malware analysis checks, and achieves persistence by creating a registry key in the Windows “Run” branch. 

The observed changes in the UAC-0099 group’s TTPs indicate the evolving and persistent nature of this cyber threat. These developments highlight the critical need for robust cybersecurity measures, as the group’s evolving adversary toolkit and ability to remain undetected pose a persistent threat to targeted organizations. Rely on SOC Prime’s complete product suite backed by AI, automated capabilities, and real-time threat intel to proactively defend against emerging APT attacks and other threats of any scale and sophistication.

MITRE ATT&CK Context

Using the MITRE ATT&CK offers detailed insight into the latest UAC-0099 operations leveraging MATCHBOIL, MATCHWOK, and DRAGSTARE malware. The table below outlines all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques. 

Tactics 

Techniques

Sigma Rule

Initial Access

Phishing: Spearphishing Attachment (T1566.001)

Execution

Command and Scripting Interpreter: PowerShell (T1059.001)

Command and Scripting Interpreter: Windows Command Shell (T1059.003)

Command and Scripting Interpreter: Visual Basic (T1059.005)

Scheduled Task/Job: Scheduled Task (T1053.005)

Exploitation for Client Execution (T1203)

User Execution: Malicious File (T1204.002)

Discovery

System Network Configuration Discovery (T1016)

System Information Discovery (T1082)

System Owner/User Discovery (T1033)

Persistence

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

Defense Evasion

Obfuscated Files or Information (T1027)

Modify Registry (T1112)

Masquerading (T1036)

System Binary Proxy Execution (T1218)

System Binary Proxy Execution: Mshta (T1218.005)

Hide Artifacts (T1564)

Hide Artifacts: Hidden Window (T1564.003)

Command and Control

Application Layer Protocol: Web Protocols (T1071.001)

Ingress Tool Transfer (T1105)

The post UAC-0099 Attack Detection: Hackers Target Government and Defense Agencies in Ukraine Using MATCHBOIL, MATCHWOK, and DRAGSTARE Malware appeared first on SOC Prime.