Hackers using fake summonses in attacks on Ukraine's defense sector

Hackers have been sending fake summons emails purportedly from Ukrainian courts to target the country’s government, military and defense sector in a new cyberespionage campaign, researchers have found.

The attackers behind the campaign — tracked as UAC-0099 by Ukraine’s computer emergency response team (CERT-UA) — have been active in the country since at least 2022 and have gained unauthorized remote access to dozens of local computers, Ukrainian cybersecurity authorities previously said.

In the latest operation, the hackers sent phishing emails disguised as court summonses. These messages included links to legitimate file-sharing platforms that delivered archive files bundled with malware.

The primary malware used in the campaign, dubbed Matchboil, collects system data and deploys additional malicious tools — including Matchwok, a backdoor that enables remote command execution, and Dragstare, a stealer that extracts browser data such as passwords, cookies, and desktop files.

CERT-UA did not disclose how many systems were affected or the volume of data compromised. While the agency hasn’t attributed the attacks to a specific nation-state, the tactics and targeting patterns resemble previous operations by Russian hackers.

Ukraine’s cyber agency had previously linked UAC-0099 to a wave of attacks in late 2024 targeting forestry departments, forensic institutions, and industrial facilities. At the time, the group used a different malware strain known as Lonepage, which now appears to have been replaced by Matchboil in more recent operations.

“The change in tactics, techniques, procedures, and tooling indicates the evolving and persistent nature of the cyber threat,” the researchers said.

CERT-UA reports typically offer limited technical detail but provide rare insights into ongoing cyber operations amid the broader conflict between Ukraine and Russia.

In earlier disclosures, the agency warned that hackers had impersonated Ukrainian drone manufacturers and state institutions to infect military and government systems with data-stealing malware. Another campaign observed in June involved malware linked to Russia’s military intelligence service, delivered via the Signal messaging app.