UAC-0099

UAC-0099 is a Russia-aligned cyberespionage threat actor tracked by CERT-UA that has been active against Ukraine since at least 2022, with reporting also describing activity beginning in the second half of 2022. The group targets Ukrainian state authorities, government agencies, the Defense Forces, and enterprises in the defense-industrial complex, and has also targeted Ukrainian employees working for companies outside Ukraine. CERT-UA and related reporting describe UAC-0099 as regularly conducting cyberespionage operations and having gained unauthorized remote access to dozens of local computers. UAC-0099 primarily uses phishing for initial access, including spearphishing and court-summons-themed lures sent via UKR.NET. Campaigns use links to legitimate file-hosting services, sometimes shortened, that deliver double-archive payloads containing HTA files. Execution triggers obfuscated VBScript and PowerShell activity, including creation of scheduled tasks such as PdfOpenTask and persistence mechanisms used to deploy malware. The group has used and updated multiple malware families, including LONEPAGE in earlier activity and, more recently, the MATCHBOIL loader, MATCHWOK backdoor, and DRAGSTARE stealer. MATCHBOIL is described as a C# loader that fingerprints hosts, communicates with C2 using collected system data in HTTP headers, retrieves additional payloads, and establishes persistence via scheduled tasks. MATCHWOK is a C# backdoor that executes PowerShell commands, compiles .NET code at runtime, exfiltrates results over HTTPS, receives AES-256-encrypted commands hidden in script tags, and includes anti-analysis checks for tools such as IDA, Wireshark, and Procmon. DRAGSTARE is a C# infostealer/stealer that collects system information, browser data including credentials and cookies, screenshots, and selected files such as documents and PDFs, and uses persistence and anti-VM or anti-analysis techniques. Reporting also states that UAC-0099 has supported Sandworm by conducting initial access operations against targets in Ukraine and then handing off validated targets for follow-up activity, including in some Sandworm wiper attacks. This collaboration is described as uncommon but observed in 2025. Known alias in the provided content: uac_0099.