~ K D P ~

. . . . . . .
Thursday

13 November 2025 13:50

Kyiv, Ukraine
ви можете шукати за категорією
або за назвою новини
Home News News details

Emerging Cyber Threats: Targeted Attacks on Government Entities

05 August 2025 15:21
image
2958 image for slide
zoom Created with Sketch Beta.

The National Cyber Incident Response Team CERT-UA has identified a new wave of targeted cyberattacks against government entities and defense industry enterprises in Ukraine.

This information was released by the State Special Communications Service.

The group UAC-0099 has significantly updated its toolkit, deploying new malware programs such as MATCHBOIL, MATCHWOK, and DRAGSTARE aimed at data theft and obtaining remote control over systems.

The attack starts with phishing emails disguised as official documents, such as "court summonses." These emails contain links to legitimate file-sharing services, leading to the download of a ZIP archive that includes a malicious HTA file. This marks the beginning of a multi-stage attack.

Executing the HTA file triggers VBScript code, which creates two files on the victim's computer: one with HEX-encoded data and another with PowerShell code. A scheduled task is created to ensure the execution of this code. The next step involves a PowerShell script decoding the data and forming an executable file for the MATCHBOIL loader, which is established in the system through its own scheduled task.

The primary targets of this group are Ukraine's government authorities, defense forces, and enterprises involved in the defense industry.

CERT-UA's investigation revealed three new samples of malware, indicating an evolution in the group's tactics.

MATCHBOIL (Loader) - its main task is to deliver the primary malware payload to the infected computer while gathering system information for identification on the command server.

MATCHWOK (Backdoor) - enables attackers to remotely execute arbitrary PowerShell commands on the infected system, with anti-analysis features to check for tools like Wireshark.

DRAGSTARE (Data Stealer) - performs comprehensive data collection, including system information, browser data, and files from the desktop.

RECOMMENDATIONS FROM CERT-UA

To counter the described threats, the following measures are recommended:

  • Enhance control over incoming correspondence and train employees to recognize phishing emails.
  • Restrict script execution and set security policies to block HTA files.
  • Implement endpoint monitoring to track suspicious activities.
  • Ensure network perimeter protection with IDS/IPS systems.
  • Keep software up-to-date to protect against known vulnerabilities.

cybersecurityattacksgovernment entitiesCERT-UAUAC-0099

Go to prev

Crisis Situation in Romania's Oil Supply

Go to next

Ukreximbank Streamlines Operations by Closing Branches in 10 Cities