UAC-0099: Uncovering Tactics, Techniques, Procedures, and Attack Methods for Enhanced Security Awareness

UAC‑0099 is a sophisticated threat actor group that has been active since at least 2022, continuing to pose a significant cybersecurity threat through its evolving cyber-espionage campaigns targeting Ukrainian government agencies, military organisations, and defence-industrial entities. The group has demonstrated remarkable adaptability across three major operational phases spanning 2023 to 2025, systematically refining its toolkit while maintaining consistent core tactics that have proven effective against its intended targets. Their initial emergence was marked by the deployment of LONEPAGE, a PowerShell-based loader that served as the foundation for their malicious operations throughout 2022 and 2023. This early phase established UAC‑0099’s preference for spear-phishing emails containing malicious attachments, particularly those masquerading as legal documents such as subpoenas or court summons. The group’s ability to leverage social engineering tactics, combined with their technical sophistication, has enabled them to successfully compromise high-value targets across Ukraine’s critical infrastructure sectors.

By late 2024, UAC‑0099 had significantly evolved their delivery mechanisms, incorporating the exploitation of the WinRAR vulnerability CVE-2023-38831 alongside their traditional phishing approaches. Analyst SIMKRA noted that this transition period marked a crucial shift in the group’s operational methodology, introducing a more complex two-stage loader approach that enhanced their evasion capabilities. The attackers began encrypting their PowerShell payloads using 3DES encryption and storing them in files such as app.lib.conf, while utilising .NET binary components like update.win.app.com to decrypt and execute the malicious code in memory. The most dramatic transformation occurred in mid-2025 with the introduction of an entirely new C# malware suite comprising MATCHBOIL, MATCHWOK, and DRAGSTARE. This overhaul of their technical infrastructure demonstrates the group’s commitment to maintaining operational effectiveness despite increasing security awareness and defensive measures. Their new toolkit showcases enhanced sophistication in command and control communications, data exfiltration capabilities, and anti-analysis features designed to thwart security researchers and automated detection systems. 

Categories: Cyber-Espionage, Malware Development, Social Engineering 

Tags: UAC‑0099, Cyber-Espionage, Ukrainian Government, Spear-Phishing, LONEPAGE, WinRAR Vulnerability, Two-Stage Loader, Data Exfiltration, Command and Control, Advanced Persistence