The threat actor identified as UAC-0099 remains actively involved in persistent attacks directed at Ukraine, employing a high-severity vulnerability in WinRAR software to distribute the LONEPAGE malware, according to a recent analysis by cybersecurity firm Deep Instinct.

UAC-0099 first came to attention in June 2023 when the Computer Emergency Response Team of Ukraine (CERT-UA) documented its espionage-driven attacks against state organizations and media entities, specifically targeting Ukrainian employees of companies outside Ukraine.

The attack vectors typically involve phishing messages containing attachments in various formats, such as HTA, RAR, and LNK files, leading to the deployment of LONEPAGE—a Visual Basic Script (VBS) malware. LONEPAGE is designed to establish communication with a command-and-control (C2) server, enabling the retrieval of additional payloads, including keyloggers, stealers, and screenshot malware.

During the period spanning 2022-2023, CERT-UA reported unauthorized remote access by the group to several dozen computers in Ukraine.

Deep Instinct’s recent analysis reveals three distinct infection chains employed by UAC-0099. Alongside the previously identified use of HTA attachments, the other two methods involve self-extracting (SFX) archives and tampered ZIP files. Notably, the ZIP file exploits the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to propagate the LONEPAGE malware.

In one infection chain using an SFX archive, the LNK shortcut masquerades as a DOCX file related to a court summons, enticing victims to open it. The execution of malicious PowerShell code follows, leading to the deployment of the LONEPAGE malware.

The second attack sequence employs a specially crafted ZIP archive, leveraging the same WinRAR vulnerability. Deep Instinct discovered two such artifacts created by UAC-0099 shortly after WinRAR released a patch for the identified bug on August 5, 2023.

Despite variations in the initial infection vectors, the core infection technique remains consistent—relying on PowerShell and the creation of a scheduled task executing a VBS file.

This development coincides with a warning from CERT-UA about a new wave of phishing messages falsely claiming outstanding Kyivstar dues to propagate the Remcos RAT. This campaign is attributed to UAC-0050, underscoring the ongoing and evolving threat landscape faced by Ukraine from multiple threat actors.