A recently uncovered cyber campaign, tracked as UAC-0247, has once again highlighted the growing sophistication of attacks targeting critical infrastructure. According to findings published by CERT-UA, the operation specifically targeted Ukrainian government agencies and healthcare institutions, including clinics and emergency response units, using a highly structured malware delivery chain.
The campaign, active between March and April 2026, demonstrates how modern cyber threats are evolving beyond simple attacks into complex, multi-layered operations that combine social engineering, malware development, and stealth persistence mechanisms. While attribution remains uncertain, the technical execution suggests a capable and organized threat actor.
Phishing as a Strategic Entry Point
The attackers initiated the campaign using phishing emails disguised as humanitarian aid proposals. This tactic is particularly effective because it leverages trust and urgency, especially in environments where such communications are common.
Recipients who clicked the embedded links were redirected to either compromised legitimate websites or AI-generated phishing pages. In cases involving legitimate domains, attackers exploited cross-site scripting vulnerabilities to inject malicious code. This approach significantly increases the likelihood of successful compromise because users tend to trust known websites.
The objective at this stage was to convince victims to download a malicious file disguised as legitimate content.
Execution Chain: From LNK to Full Compromise
Once the victim downloads the file, they receive a Windows shortcut (LNK). Opening this file triggers the execution of a remote HTML Application (HTA) using the Windows utility βmshta.exe,β a tool frequently abused by attackers due to its legitimate nature.
The HTA file presents a decoy interface to the user while silently executing malicious actions in the background. It downloads additional payloads and injects shellcode into trusted system processes such as runtimeBroker.exe. This technique allows the malware to operate under the radar of traditional security tools.
More advanced variants of the campaign use a two-stage loader architecture. The second stage is implemented using a custom executable format that supports dynamic linking and structured execution. The payload is encrypted and compressed, making analysis and detection significantly more difficult.
Persistence Through Advanced Control Mechanisms
To maintain access, attackers deploy a reverse shell known as RAVENSHELL. This establishes a persistent communication channel with a command-and-control server, enabling remote execution of commands.
In addition, the AGINGFLY malware family is deployed. Written in C#, it provides attackers with extensive control over the compromised system, including the ability to execute commands, capture keystrokes, transfer files, and deploy additional payloads.
A PowerShell script called SILENTLOOP enhances resilience by dynamically retrieving command-and-control server addresses from Telegram channels. This ensures that the malware can continue operating even if primary infrastructure is disrupted.
Data Exfiltration and Lateral Movement
The campaign focuses heavily on data exfiltration. Attackers target browser-stored credentials, cookies, and session data from Chromium-based applications. They also deploy tools capable of extracting WhatsApp Web data, giving them access to private communications.
In addition to stealing data, the attackers perform reconnaissance and lateral movement within compromised networks. Tools used in the campaign allow for network scanning, tunneling, and expansion into additional systems.
Some instances also include cryptocurrency mining modules, suggesting a dual objective of espionage and financial gain.
Why Traditional Security Fails
The use of legitimate tools, encrypted payloads, and multi-stage execution makes this campaign particularly difficult to detect. Traditional security solutions often rely on signature-based detection, which is ineffective against such advanced techniques.
This is where platforms like IntelligenceX provide significant value. By offering visibility into exposed assets, malicious domains, and attacker infrastructure, IntelligenceX enables organizations to identify threats before they escalate.
Security teams using IntelligenceX can monitor suspicious activity, analyze infrastructure patterns, and correlate threat intelligence across multiple sources.
Mitigation Strategies
Organizations should restrict execution of LNK, HTA, and script-based files. Limiting the use of mshta.exe, PowerShell, and similar utilities can significantly reduce the attack surface.
Conclusion
The UAC-0247 campaign demonstrates the importance of proactive cybersecurity strategies. Organizations must adopt intelligence-driven approaches to defend against increasingly sophisticated threats.
Top comments (0)