MATCHWOK

MATCHWOK is a C# backdoor used in UAC-0099 phishing-driven cyberespionage campaigns targeting Ukrainian state authorities, the Defense Forces, and defense-industrial enterprises. It is typically deployed as a follow-on payload by the MATCHBOIL loader after initial compromise via phishing emails, often themed as court summons and sent via UKR.NET, with links to legitimate file-hosting services containing a double archive and HTA-based execution chain. MATCHWOK enables remote command execution by executing PowerShell commands, including by compiling .NET programs at runtime and passing commands to the PowerShell interpreter via STDIN. It exfiltrates command output to a remote server over HTTPS, reading the server address from a local configuration file. CERT-UA reporting also states that commands may be AES-256-encrypted and hidden in <script> tags on remote pages. The malware includes anti-analysis behavior and may terminate or avoid execution if tools such as IDA, Wireshark, or Procmon are detected. It has been reported alongside DRAGSTARE, a stealer, as part of the updated UAC-0099 toolkit. High-confidence associations in the provided content link MATCHWOK to persistent espionage activity against Ukrainian government, military, and defense-sector targets since at least 2025, with broader reporting noting UAC-0099 activity against Ukraine since mid-2022.