Hackers have been sending fake summons emails purportedly from Ukrainian courts to target the country\u2019s government, military and defense sector in a new cyberespionage campaign, researchers have found. <\/p>\n
The attackers behind the campaign \u2014 tracked as UAC-0099 by Ukraine\u2019s computer emergency response team (CERT-UA) \u2014 have been active in the country since at least 2022 and have gained unauthorized remote access to dozens of local computers, Ukrainian cybersecurity authorities previously said<\/a>. <\/p>\n In the latest operation, the hackers sent phishing emails disguised as court summonses. These messages included links to legitimate file-sharing platforms that delivered archive files bundled with malware. <\/p>\n The primary malware used in the campaign, dubbed Matchboil, collects system data and deploys additional malicious tools \u2014 including Matchwok, a backdoor that enables remote command execution, and Dragstare, a stealer that extracts browser data such as passwords, cookies, and desktop files. <\/p>\n CERT-UA did not disclose how many systems were affected or the volume of data compromised. While the agency hasn\u2019t attributed the attacks to a specific nation-state, the tactics and targeting patterns resemble previous operations by Russian hackers. <\/p>\n Ukraine\u2019s cyber agency had previously linked<\/a> UAC-0099 to a wave of attacks in late 2024 targeting forestry departments, forensic institutions, and industrial facilities. At the time, the group used a different malware strain known as Lonepage, which now appears to have been replaced by Matchboil in more recent operations. <\/p>\n \u201cThe change in tactics, techniques, procedures, and tooling indicates the evolving and persistent nature of the cyber threat,\u201d the researchers said. <\/p>\n CERT-UA reports typically offer limited technical detail but provide rare insights into ongoing cyber operations amid the broader conflict between Ukraine and Russia. <\/p>\n In earlier disclosures, the agency warned<\/a> that hackers had impersonated Ukrainian drone manufacturers and state institutions to infect military and government systems with data-stealing malware. Another campaign observed<\/a> in June involved malware linked to Russia\u2019s military intelligence service, delivered via the Signal messaging app. <\/p>\n Get more insights with the <\/p>\n Recorded Future<\/p>\n Intelligence Cloud.<\/p>\n