UAC-0247 Targets Ukrainian Clinics and Government in Data Theft Malware Campaign
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign targeting government and municipal health facilities, especially emergency clinics and hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp.
The activity, which was observed between March and April 2026, was caused by a malicious group called UAC-0247. The origin of this campaign is not known yet.
According to CERT-UA, the beginning of the chain of attacks is an email message that claims to offer humanitarian assistance, urging recipients to click on a redirect link to an official website compromised by a cross-site scripting (XSS) vulnerability or a fake site created with the help of artificial intelligence (AI) tools.
Regardless of the site, the goal is to download and run a Windows Shortcut (LNK) file, which then runs a remote HTML Application (HTA) using the native Windows utility, “mshta.exe.” The HTA file, on the other hand, displays a deceptive form to divert the victim’s attention, while at the same time downloading a binary injection process, a legitimate shell. “runtimeBroker.exe”).
“At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage is implemented using a portable file format (with full support for code and data sections, import of functions from dynamic libraries, and transport), and the final payment is compressed and encrypted,” said CERT-UA.
One of the initiators is a tool called TCP reverse shell or its equivalent, traceable as RAVENSHELL, which establishes a TCP connection with the management server to receive commands issued from the host using “cmd.exe.”
Also downloaded from the infected machine is a malware family called AGINGFLY and a PowerShell script called SILENTLOOP that serves several functions to execute commands, configure automatic updates, and find the current IP address of the Telegram channel management server, then return to other ways to determine the command and control address (C2).
Developed using C#, AGINGFLY is designed to provide remote control of affected systems. It communicates with the C2 server using WebSockets to download commands that allow it to execute commands, run a keylogger, extract files, and run additional payloads.
An investigation of about a dozen incidents revealed that this attack facilitates surveillance, coordinated movements, and the theft of credentials and other sensitive data from WhatsApp and Chromium-based browsers. This is achieved by installing various open source tools, such as those listed below –
- ChromElevator, a program designed to bypass Chromium’s app-bound encryption (ABE) protections and harvest saved cookies and passwords.
- ZAPiXDESK, a forensic extraction tool to decrypt WhatsApp Web location information
- RustScan, a network scanner
- Ligolo-Ng, a lightweight utility for establishing tunnels from reverse TCP/TLS connections
- Chisel, a tool for snooping network traffic over TCP/UDP
- XMRig, a cryptocurrency miner
The agency said there is evidence that representatives of the Defense Forces of Ukraine may also have been targeted as part of the campaign. This is based on the distribution of malicious ZIP archives by Signal designed to take down AGINGFLY using a DLL sideloading method.
To reduce the risk associated with the threat and reduce the attack surface, it is recommended to limit the use of LNK, HTA, and JS files, as well as legitimate utilities such as “mshta.exe,” “powershell.exe,” and “wscript.exe.”
