Attacks against Ukraine have been connected to the threat actor UAC-0099. Some of these attacks use a high-severity vulnerability in the WinRAR program to spread the LONEPAGE malware strain. In an investigation published on Thursday, cybersecurity firm Deep Instinct stated that “the threat actor targets Ukrainian employees working for companies outside of Ukraine.”
The first report of UAC-0099’s espionage-related attacks against governmental organizations and media groups was released in June 2023 by the Computer Emergency Response Team of Ukraine (CERT-UA). Phishing communications with attachments of HTA, RAR, and LNK files were used by the attack chains to spread LONEPAGE, a Visual Basic Script (VBS) malware that can communicate with a command-and-control (C2) server and download other payloads like keyloggers and stealers.