{
	"id": "e5645d0b-2a80-4752-b21d-3a368623d8dd",
	"created_at": "2026-04-06T00:14:25.027381Z",
	"updated_at": "2026-04-10T13:13:00.620178Z",
	"deleted_at": null,
	"sha1_hash": "797151d6e21f16cd3fc9fc57b30f07f70fbad884",
	"title": "Threat Actor 'UAC-0099' Continues to Target Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2005754,
	"plain_text": "Threat Actor 'UAC-0099' Continues to Target Ukraine\r\nBy Deep Instinct Threat Lab\r\nPublished: 2023-12-21 · Archived: 2026-04-05 12:38:23 UTC\r\nKey Takeaways\r\n\"UAC-0099\" is a threat actor that has targeted Ukraine since mid-2022\r\nDeep Instinct Threat Lab has identified new attacks by the threat actor\r\nThe threat actor was observed leveraging CVE-2023-38831\r\nThe threat actor targets Ukrainian employees working for companies outside of Ukraine\r\nIntroduction\r\nIn May 2023, the Ukrainian CERT published advisory #6710 about a threat actor dubbed “UAC-0099.” The\r\nadvisory briefly details the threat actor’s activities and tools.\r\nSince the CERT-UA publication in May, Deep Instinct has identified new attacks carried out by “UAC-0099”\r\nagainst Ukrainian targets.\r\nThis blog post will shed additional light on the threat group’s recent attacks, which feature common tactics,\r\ntechniques, and procedures (TTPs), including the use of a fabricated court summons to bait targets in Ukraine into\r\nexecuting the malicious files.\r\nImportant note: Some of the C2 servers related to these attacks are still active at the time of publication.\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 1 of 10\n\nFigure 1: Overview of recent UAC-0099 activities.\r\nRAR SFX with LNK Infection Vector\r\nIn early August, “UAC-0099” sent an email impersonating the Lviv city court using the ukr.net email service.\r\nThe email was sent to a corporate email box of a Ukrainian employee working remotely for a company outside of\r\nthe Ukraine.\r\nThe attached is an executable file created by WinRAR, the Windows-based file archiver and compression utility\r\nthat can compress a file as a self-extracting archive (SFX):\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 2 of 10\n\nFigure 2: Prompt when executing the attached SFX file.\r\nAfter extracting the contents of the archive, a new file is created with a double extension, in this case docx.lnk:\r\nFigure 3: Double extension social engineering trick.\r\nThe file looks like a regular document file. However, it’s a LNK shortcut disguised as a DOCX file. Closer\r\ninspection reveals that the file uses the “WordPad” application icon instead of a DOCX icon. When opened, the\r\nspecially crafted LNK file executes PowerShell with malicious content:\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 3 of 10\n\nFigure 4: Malicious PowerShell commands inside the LNK file.\r\nThe malicious PowerShell code decodes two base64 blobs and writes the output into VBS and DOCX files. After\r\nthat, the PowerShell code opens the DOCX file as a decoy while also creating a new scheduled task that executes\r\nthe VBS file every three minutes.\r\nThe VBS malware was named “LonePage” by CERT-UA. When executed, it creates a hidden PowerShell process\r\nthat communicates with a hardcoded C2 URL to fetch a text file. The rest of the PowerShell code is executed only\r\nif the response from the C2 is greater than one byte. In that instance, the PowerShell script checks to see if the\r\nstring “get-content“ is included in the text file. If the string is present, then the script executes the code from the\r\nserver and saves it as an array of bytes. If the string is absent, the script executes a combination of commands\r\ninside the text file from the server and some hard-coded basic enumeration commands such as “whoami:”\r\nFigure 5: LonePage VBS script.\r\nRegardless of the C2 response, the results of executing the commands inside the txt file or the hardcoded\r\ncommands are sent back to the same C2 server. However, it is sent to a different port via HTTP POST method.\r\nThe DOCX document is a decoy to trick the victim into thinking they’re opening a legitimate DOCX file\r\ncontaining a court summons instead of a malicious file:\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 4 of 10\n\nFigure 6: Contents of DOCX file.\r\nIn early November, another instance of this campaign was observed using a different C2 address —\r\n196.196.156[.]2.\r\nSince the threat actor controls the content of the “upgrade.txt” files, they can change it according to their\r\nobjectives. As such, the content is not always the same and can vary.\r\nThe following code was observed as a response from the C2 server at 2023-11-08 14:50:30 UTC.\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 5 of 10\n\nFigure 7: C2 Get-Screenshot command.\r\nThis PowerShell code is responsible for taking a screenshot. As mentioned above, the LonePage VBS sends the\r\nresults back to the C2, allowing the threat actor to execute any PowerShell code on the infected computer and\r\nreceive the response back.\r\nAt the end of November 2023, another campaign instance was observed using the C2 address 2.59.222[.]98. In\r\nthis case, the payload response from the C2 server aligns with what was described as “recon” activity in the\r\npastebin:\r\nFigure 8: Recon commands received from C2 server.\r\nThe decoy document is a PDF file instead of a DOCX. And instead of the usual court summons document, the\r\nPDF file shows a smudged document:\r\nFigure 9: Smudged decoy PDF document.\r\nHTA Infection Vector\r\nIn contrast to the LNK attack vector described earlier, this attack uses HTA. The HTA method is similar, but there\r\nare notable differences. Instead of an LNK file invoking PowerShell, the HTA file includes HTML code that\r\ncontains a VBScript that executes PowerShell. The scheduled task cadence is also different — it runs every four\r\nminutes instead of three in the previous cases.\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 6 of 10\n\nWhile CERT-UA reported in their advisory that the HTA file drops an HTML file as a decoy, Deep Instinct\r\nobserved a similar court summons DOCX decoy document, like what was observed in the LNK chain.\r\nFigure 10: HTA file content.\r\nCVE-2023-38831 Infection Vector\r\nIn both attacks described below, “UAC-0099” exploited a known WinRAR vulnerability, identified by Group-IB\r\nand traced back to April 2023.\r\nThe vulnerability stems from how WinRAR processes ZIP files. The exploitation requires a user to interact with a\r\nspecially crafted ZIP archive.\r\nHere’s how it works: the attacker creates an archive with a benign filename with a space after the file extension —\r\nfor example, “poc.pdf .” The archive includes a folder with the same name, including the space (something that is\r\nnot possible under normal conditions, since the operating system does not allow the creation of a file with the\r\nsame name). The folder includes an additional file with the same name as the benign file, including a space,\r\nfollowed by a “.cmd” extension.\r\nWhen a user opens a ZIP file containing these files in an unpatched version of WinRAR and double-clicks on the\r\nbenign file, the file with the “cmd” extension is executed instead.\r\nThe vulnerability might produce higher infection rates because the attacks are disguised so well; even security-savvy victims can fall for the deception. Expecting to open a benign file, the user will inadvertently execute\r\nmalicious code.\r\nYou can find a POC for the vulnerability in GitHub. A patched WinRAR (version 6.23) was released on August 2,\r\n2023.\r\nDeep Instinct identified two ZIP files created by “UAC-0099\" on August 5, 2023:\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 7 of 10\n\nFigure 11: Contents of malicious “cmd” file inside ZIP archive.\r\nThe malicious “cmd” file is different in the two files, each containing a different C2 URI path.\r\nThe modification time between the two files is only two seconds, indicating that, most likely, the files were\r\ncreated in an automated fashion. This, combined with the fact that UAC-0099 started to exploit the vulnerability\r\nseveral days after the patch, shows the level of sophistication of the attackers.\r\nWhile Google TAG identified several Russian threat actors using the vulnerability to attack Ukrainian targets, the\r\nUAC-0099 activity is absent in their blog.\r\nThe CVE assignment and the Group-IB blog about the vulnerability were published after “UAC-0099” leveraged\r\nthe attack technique, indicating they likely knew how to exploit it.\r\nThe decoy used in this campaign was once again the “summon to court” document theme.\r\nConclusions and Recommendations\r\nThe tactics used by “UAC-0099” are simple, yet effective. Despite the different initial infection vectors, the core\r\ninfection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.\r\nMonitoring and limiting the functionality of those components can reduce the risk of “UAC-0099” attacks —\r\nand/or identify them quickly in the event of compromise.\r\nThe WinRAR exploitation is an interesting choice. Some people don’t update their software in a timely fashion,\r\neven with automatic updates. WinRAR requires a manual update, meaning that even if a patch is available, many\r\npeople will likely still have a vulnerable version of WinRAR installed.\r\nPlease make sure you have the latest version of WinRAR installed.\r\nIOCs and the POC for the CVE-2023-38831 can be found on our GitHub.\r\nIOCs\r\n147.78.46[.]40\r\n196.196.156[.]2\r\n2.59.222[.]98\r\nSHA256 Description\r\nd21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6 SFX\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 8 of 10\n\nSHA256 Description\r\n0eec5a7373b28a991831d9be1e30976ceb057e5b701e732372524f1a50255c7 LNK\r\n8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602 VBS\r\n2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed Decoy\r\n659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd SFX\r\n0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51 LNK\r\n4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924 VBS\r\n53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2 Decoy\r\n38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9 HTA\r\na10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37 VBS\r\n61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1 Decoy\r\n86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a SFX\r\n762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378 LNK\r\n39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe VBS\r\nf75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e Decoy\r\n986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05 CVE-2023-38831 ZIP\r\n54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584 CVE Payload\r\n96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d VBS\r\n6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da Decoy\r\n87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77 CVE-2023-38831 ZIP\r\nf5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b CVE Payload\r\ne34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0 VBS\r\n2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd SFX\r\n0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d LNK\r\n6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8 VBS\r\n736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7 Decoy\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 9 of 10\n\nSource: https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nhttps://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine\r\nPage 10 of 10\n\nSince the threat actor objectives. As such, controls the content the content is not of the “upgrade.txt” always the same files, and can vary. they can change it according to their\nThe following code was observed as a response from the C2 server at 2023-11-08 14:50:30 UTC.\n   Page 5 of 10  \n\nYou can find 2023. a POC for the vulnerability in GitHub. A patched WinRAR (version 6.23) was released on August 2,\nDeep Instinct identified two ZIP files created by “UAC-0099\" on August 5, 2023:\n   Page 7 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine"
	],
	"report_names": [
		"threat-actor-uac-0099-continues-to-target-ukraine"
	],
	"threat_actors": [
		{
			"id": "154da875-2e93-41ab-8a41-90fdd66b214b",
			"created_at": "2024-01-09T02:00:04.2024Z",
			"updated_at": "2026-04-10T02:00:03.510191Z",
			"deleted_at": null,
			"main_name": "UAC-0099",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0099",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/797151d6e21f16cd3fc9fc57b30f07f70fbad884.pdf",
		"text": "https://archive.orkl.eu/797151d6e21f16cd3fc9fc57b30f07f70fbad884.txt",
		"img": "https://archive.orkl.eu/797151d6e21f16cd3fc9fc57b30f07f70fbad884.jpg"
	}
}