0 4 8 . U A

Loading...
Saturday

04 April 2026 / 16:46

Choose language
Popular posts
1
image
New Bus Additions for Odesa
Read more
04 April 2026 / 16:46
2
image
Ukrainian Veterans Team at US Sports Trials
Read more
04 April 2026 / 16:46
3
image
Odesa Region: New Perspectives on Agricultural Exports
Read more
04 April 2026 / 16:46
Home / News / Emerging Cyber Threats: Analyzing Attacks on Government Structures

Emerging Cyber Threats: Analyzing Attacks on Government Structures

05 August 2025 15:28
image

The CERT-UA team, responsible for responding to cyber incidents, has uncovered new targeted cyberattacks on governmental institutions and defense enterprises.

This information was released by the press office of the State Special Communications Service.

The attacking group known as UAC-0099 has updated its toolkit and started utilizing new malware samples, including MATCHBOIL, MATCHWOK, and DRAGSTARE. The attackers employ a multi-stage approach aimed at data theft and gaining remote access to systems.

The attack process begins with the distribution of phishing emails, often disguised as official documents, such as “court summons.” The emails contain links to a legitimate file-sharing service that prompts the download of a ZIP archive containing a malicious HTA file. This marks the beginning of a sophisticated attack.

When the HTA file is executed, it triggers a VBScript code that creates two files on the victim's computer: one with HEX-encoded data and another with PowerShell code. A scheduled task is created to ensure the execution of this code. The next step involves the PowerShell script decoding the data to form an executable loader file, MATCHBOIL, which embeds itself in the system through a scheduled task.

The primary targets of this group are government bodies and defense enterprises in Ukraine.

CERT-UA's research has identified three new samples of malware, indicating an evolution in the tactics, techniques, and procedures employed by the attackers.

MATCHBOIL (Loader). The main task of this program is to deliver the primary malicious payload to the infected computer by gathering essential system information for victim identification on the command server.

MATCHWOK (Backdoor). This tool enables attackers to execute arbitrary PowerShell commands on the infected system, with commands delivered in encrypted form from the command server.

DRAGSTARE (Stealer). It conducts comprehensive data collection, including system information and authentication data from browsers.

RECOMMENDATIONS FROM CERT-UA

To counter these threats, it is necessary to:

  • Enhance control over incoming correspondence and train staff to recognize phishing emails.
  • Restrict script execution by configuring security policies.
  • Implement endpoint monitoring to detect suspicious activities.
  • Ensure network perimeter protection with modern intrusion detection systems.
  • Regularly update software to protect against vulnerabilities.

6604 image for slide
cyber threats,   cybersecurity,   CERT-UA,   attacks,   UAC-0099