UAC-0099 Hackers Weaponize HTA Files to Deploy MATCHBOIL Loader Malware

UAC-0099 is a threat actor organization that has been targeting state officials, defense forces, and defense-industrial firms in a series of sophisticated cyberattacks that Ukraine’s CERT-UA has been investigating.

The attacks typically initiate with phishing emails from UKR.NET addresses, featuring subjects like “court summons” and links to legitimate file-sharing services, often shortened via URL shorteners.

These links lead to double-archived files containing malicious HTML Application (HTA) files.

Targeting Ukrainian Defense

Upon execution, the HTA files deploy obfuscated VBScript that creates temporary text files with HEX-encoded data and PowerShell code, alongside a scheduled task named “PdfOpenTask.”

This task executes the PowerShell script, which decodes the data into a .txt file, renames it to an executable like “AnimalUpdate.exe,” and sets up another scheduled task “\AnimalSoft\UpdateAnimalSoftware” to ensure persistence.

This chain deploys the MATCHBOIL loader, potentially replacing earlier variants like LONEPAGE ...