ClickCease WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms

Wajahat Raja

January 4, 2024 - TuxCare expert team

In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In mid-2023, the Ukrainian CERT issued advisory #6710, unmasking a threat actor identified as “UAC-0099.” This actor’s activities and arsenal of tools were succinctly outlined in the advisory. In this blog post, we’ll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE Malware. We’ll also uncover its tactics and the evolving landscape of targeted attacks against Ukrainian firms.

LONEPAGE Malware: UAC-0099’s Continued Assault on Ukraine

Since the publication of CERT-UA’s advisory,
Deep Instinct has uncovered fresh malware attacks orchestrated by UAC-0099, specifically targeting Ukrainian entities. Notably, UAC-0099 employs a cunning strategy, deploying fabricated court summons to lure unsuspecting targets in Ukraine into executing malicious files. Ukrainian firms cybersecurity is a top priority in the ever-evolving digital landscape, necessitating robust strategies to mitigate risks and fortify defenses against emerging cyber threats.

UAC-0099 and WinRAR Exploits

UAC-0099 has been implicated in a series of assaults against Ukraine, leveraging a critical flaw in WinRAR software to propagate the
LONEPAGE malware. According to cybersecurity firm Deep Instinct, this threat actor has set its sights on Ukrainian employees affiliated with international companies.


In a detailed analysis, Deep Instinct revealed that UAC-0099’s attack vectors encompass phishing messages housing HTA, RAR, and LNK file attachments. These attachments, when activated, trigger the deployment of LONEPAGE—a Visual Basic Script (VBS) malware. LONEPAGE exhibits the capability to establish communication with a command-and-control (C2) server, fetching additional payloads such as keyloggers, stealers, and screenshot malware.

A Timeline of Intrusion

The origins of UAC-0099 trace back to June 2023, when CERT-UA first documented the threat actor’s activities. The report related to these
cybersecurity trends highlighted UAC-0099’s espionage-driven attacks on state organizations and media entities within Ukraine. Disturbingly, unauthorized remote access to numerous computers in Ukraine occurred during the period from 2022 to 2023. Given this, it can be stated implementing rigorous data security measures is crucial to safeguarding sensitive information.

Diverse Attack Vectors

Deep Instinct’s latest analysis unveils three distinct infection chains employed by UAC-0099. The first involves HTA attachments, while the other two leverage self-extracting (SFX) archives and malicious ZIP files. In the case of ZIP files, UAC-0099 exploits the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to disseminate the
LONEPAGE malware.

Deceptive Tactics

The SFX file harbors an LNK shortcut camouflaged as a DOCX file for a court summons. Utilizing the Microsoft WordPad icon, the threat actor entices victims to open the file, leading to the execution of malicious PowerShell code that drops the LONEPAGE malware.

The second attack sequence involves a meticulously crafted ZIP archive susceptible to CVE-2023-38831. Deep Instinct identified two such artifacts created by UAC-0099 on August 5, 2023—merely three days after WinRAR released a patch for the vulnerability. Despite distinct initial infection vectors, the core infection method remains consistent, relying on PowerShell and the creation of a scheduled task executing a VBS file.

Cyber Threat Landscape: A New Wave

Coinciding with these revelations, CERT-UA issued a warning about a fresh wave of phishing messages masquerading as outstanding Kyivstar dues. These messages aim to propagate a remote access trojan known as Remcos RAT, with the campaign attributed to UAC-0050.
WinRAR vulnerabilities pose a significant cybersecurity risk, emphasising the importance of prompt patching and proactive measures to secure systems and protect against potential exploits.


The landscape of
cyber threats 2023 is dynamic, and UAC-0099’s activities underscore the need for unwavering vigilance. Understanding their tactics and the vulnerabilities they exploit is crucial for bolstering defenses. Organizations, especially those with ties to Ukraine, should prioritize cybersecurity measures to thwart evolving Ukrainian cybersecurity incidents and ensure the safety of their digital infrastructure. As the cybersecurity landscape evolves, staying informed and ensuring cybersecurity best practices remain the key to safeguarding against such insidious threats.


The sources for this piece include articles in The Hacker News and Deep Instinct


WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
Article Name
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
Discover the latest on LONEPAGE malware targeting Ukrainian firms through WinRAR exploits. Stay informed on cybersecurity threats!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter