UAC-0099 Hackers Exploiting HTA Files to Distribute MATCHBOIL Loader Malware

The Ukrainian threat intelligence group UAC-0099 has significantly advanced its cyber warfare capabilities by deploying a sophisticated malware toolkit aimed at Ukrainian state authorities, Defence Forces, and defence industrial enterprises. The National Cyber Incident Response Team CERT-UA has documented a series of coordinated attacks that utilise HTA (HTML Application) files as the primary delivery mechanism for the newly identified MATCHBOIL loader malware. These attacks commence with meticulously crafted phishing emails, predominantly dispatched from UKR.NET addresses, masquerading as official court summons. The emails contain links to legitimate file-sharing services, including shortened URLs, which redirect victims to download double-archived files containing malicious HTA components. This social engineering tactic exploits the perceived legitimacy of legal documentation to circumvent initial user suspicion. CERT-UA analysts have identified that the HTA files contain heavily obfuscated VBScript designed to establish multiple persistence mechanisms on compromised systems.

Upon execution, the malicious script generates several critical files, including “documenttemp.txt,” which contains HEX-encoded data, and “temporarydoc.txt,” which holds PowerShell code. It also establishes a scheduled task named “PdfOpenTask” for sustained system access. The threat actors have developed a multi-component malware ecosystem consisting of three primary tools: MATCHBOIL serves as the initial loader, MATCHWOK functions as a backdoor for remote command execution, and DRAGSTARE operates as a comprehensive data stealer. This trinity of malicious software illustrates the group’s evolution from previous campaigns and indicates a shift towards more persistent, multi-stage attack operations. The MATCHBOIL loader, developed in C#, implements a sophisticated multi-stage deployment process that ensures persistent system compromise. The initial HTA file execution triggers the creation of the scheduled task “PdfOpenTask,” which converts HEX-encoded data into executable bytes and transmits system fingerprinting data to command-and-control servers hosted on domains like egyptanimals[.]com and geostat[.]lat.