U k r V i s t i

l o a d i n g
Monday

03:56

Кyiv, Ukraine
UA | RU | EN
Home News News details

Emerging Cyber Threats: Analyzing Attacks on Government Entities

An analysis of new cyber attacks targeting government structures and defense industry enterprises in Ukraine.

05 August 2025
cybersecurityattacksCERT-UAcyber attacksinformation protection
image

The National Cyber Incident Response Team CERT-UA has uncovered a new wave of targeted cyber attacks aimed at government entities and defense industry enterprises.

This information comes from the State Special Communications Service press office.

The criminal group UAC-0099 has updated its toolkit and is now utilizing new malware such as MATCHBOIL, MATCHWOK, and DRAGSTARE. The attackers employ a complex chain to steal data and gain control over systems.

The attack begins with phishing emails disguised as official documents, such as "court summons." These emails contain links to legitimate file-sharing services. Clicking on them initiates the download of a ZIP archive containing a malicious HTA file. This marks the first phase of the attack.

Executing the HTA file triggers VBScript, which creates two files on the victim's computer: one with HEX-encoded data and another with PowerShell code. A scheduled task is created to ensure the execution of this code. The next step involves the PowerShell script decoding the data and forming the executable MATCHBOIL loader, which is embedded in the system through its scheduled task.

The primary targets of the group are government bodies of Ukraine, defense forces, and enterprises working in the defense industry.

CERT-UA's research has identified three new samples of malware, indicating an evolution in the group's tactics.

MATCHBOIL (Loader). Its main task is to deliver the primary payload to the victim's computer. MATCHBOIL collects basic system information to identify the victim on the command server.

MATCHWOK (Backdoor). It allows attackers to execute arbitrary PowerShell commands on the infected system, with commands sent from the command server in encrypted form.

DRAGSTARE (Data Stealer). It performs comprehensive data collection, including system information, browser data, and files with certain extensions.

RECOMMENDATIONS FROM CERT-UA

To counter these threats, it is necessary to:

  • Educate employees on identifying phishing emails.
  • Restrict script execution and set security policies to block HTA files.
  • Implement endpoint monitoring.
  • Ensure perimeter network protection.
  • Regularly update software.

3835 image for slide
plus Created with Sketch Beta.