MATCHBOIL

MATCHBOIL is a C#-based malware loader used by the threat actor UAC-0099 in phishing-driven cyberespionage campaigns targeting Ukrainian state authorities, the Defense Forces, and defense-industrial enterprises. Recent reporting also describes targeting of government and defense sectors more broadly, and notes UAC-0099 has operated against Ukraine since at least mid-2022. The infection chain commonly begins with phishing emails, often themed as court summons and sent via UKR.NET, containing links to legitimate file-hosting services. These links deliver a double archive with an HTA file; execution of the HTA launches obfuscated VBScript and PowerShell that writes and runs AnimalUpdate.exe, activating MATCHBOIL. MATCHBOIL fingerprints the host by collecting system data including CPU ID, BIOS serial number, username, and MAC address, and uses this information in HTTP headers during C2 communication. It is designed to download and execute additional payloads, including MATCHWOK, a backdoor for remote command execution, and DRAGSTARE, a stealer that extracts browser data such as passwords and cookies, desktop files, screenshots, and other documents. MATCHBOIL retrieves payloads from image-like URIs, decodes them from HEX and BASE64, saves them as .com files, and stores its server address in a local configuration file. Persistence has been reported via a scheduled task named DocumentTask, and separately via creation of a registry Run key to enable execution of downloaded payloads. High-confidence related artifacts from the infection chain include scheduled tasks PdfOpenTask and \AnimalSoft\UpdateAnimalSoftware, files documenttemp.txt, temporarydoc.txt, %PUBLIC%\Downloads\AnimalUpdate.txt, and AnimalUpdate.exe. MATCHBOIL has been described as likely replacing the earlier UAC-0099 malware LONEPAGE.