Ukraine’s national cybersecurity authority, CERT-UA, has recently revealed details about a sophisticated cyber campaign targeting government entities and healthcare institutions, particularly clinics and emergency medical facilities. The activity, tracked under the identifier UAC-0247, involves the deployment of malware specifically designed to steal sensitive information from Chromium-based browsers as well as WhatsApp.
The attacks were observed during March and April 2026, and while attribution remains uncertain, the techniques used indicate a well-resourced and organized threat actor. The campaign highlights a growing trend where attackers combine social engineering with multi-layered malware delivery to compromise critical sectors.
Entry Point: Deceptive Humanitarian Lures
The initial stage of the attack relies heavily on phishing emails crafted to appear legitimate. These emails present themselves as humanitarian aid proposals, a tactic likely chosen to exploit trust and urgency. Recipients are encouraged to follow a link embedded within the message.
Once clicked, the link redirects the victim either to a compromised legitimate website or to a fake page generated using artificial intelligence tools. In cases involving legitimate websites, attackers take advantage of cross-site scripting vulnerabilities to inject malicious content. Regardless of the method used, the end goal remains the same: to trick the user into executing a malicious file.
Execution Chain and Malware Delivery
The infection process begins when the victim downloads a Windows shortcut (LNK) file. This file acts as a trigger, initiating the execution of a remote HTML Application (HTA) through the Windows utility “mshta.exe.”
The HTA file serves as both a distraction and a delivery mechanism. It displays a decoy form to maintain the illusion of legitimacy while simultaneously downloading a secondary payload in the background. This payload injects malicious shellcode into legitimate system processes such as runtimeBroker.exe, allowing it to operate stealthily without raising immediate suspicion.
CERT-UA also reported the use of more advanced, multi-stage loaders in certain cases. These loaders use custom executable formats that support structured code execution and dynamic library imports. The final payload is compressed and encrypted, making detection and analysis significantly more difficult.
Establishing Control Over Compromised Systems
A notable component of the campaign is the deployment of a reverse shell tool known as RAVENSHELL. This utility establishes a direct TCP connection with a command-and-control server, enabling attackers to execute commands remotely using standard system tools like cmd.exe.
In addition to RAVENSHELL, attackers deploy a malware family called AGINGFLY along with a PowerShell-based script referred to as SILENTLOOP. AGINGFLY, developed in C#, provides extensive remote control capabilities. It communicates with command servers using WebSockets and allows attackers to execute commands, capture keystrokes, download files, and run additional payloads.
SILENTLOOP plays a supporting role by maintaining communication with the command infrastructure. It retrieves updated server addresses from Telegram channels and includes fallback mechanisms to ensure continued connectivity even if primary channels are disrupted.
Focus on Data Theft and Reconnaissance
Analysis of multiple incidents linked to this campaign shows that attackers are primarily focused on reconnaissance and data exfiltration. Their targets include login credentials, browser data, and private communications.
To achieve this, they deploy various tools designed to bypass browser encryption mechanisms and extract stored credentials. They also use forensic utilities capable of decrypting WhatsApp Web data, allowing them to access sensitive conversations.
Additional tools observed in the campaign support network scanning, tunneling, and lateral movement, enabling attackers to expand their access within compromised environments. Some tools are even capable of cryptocurrency mining, suggesting that financial gain may also be a secondary objective.
Evidence also indicates that individuals associated with Ukraine’s defense sector may have been targeted. In these cases, malicious archives were distributed through messaging platforms, further extending the reach of the campaign.
Challenges in Detection
The techniques used in this campaign make it particularly difficult to detect. By relying on legitimate system tools, encrypted payloads, and multi-stage execution chains, attackers are able to evade many traditional security controls.
This is where platforms like IntelligenceX become especially valuable. By providing visibility into exposed infrastructure, suspicious domains, and attacker activity, IntelligenceX helps organizations identify threats at an earlier stage.
For instance, security teams can use IntelligenceX to track phishing domains, analyze command-and-control infrastructure, and correlate threat data across multiple sources. This level of insight is critical when dealing with campaigns that rely on stealth and persistence.
Mitigation and Defensive Measures
To reduce exposure to such threats, CERT-UA recommends limiting the execution of potentially dangerous file types such as LNK, HTA, and JavaScript files. It is also important to restrict the use of built-in Windows utilities like mshta.exe, PowerShell, and wscript.exe, which are commonly abused by attackers.
Organizations should also implement stronger monitoring practices, educate users about phishing risks, and integrate threat intelligence into their security operations.
Conclusion
The UAC-0247 campaign demonstrates how modern cyberattacks are evolving in both complexity and scope. By combining social engineering with advanced malware techniques, attackers are able to target critical sectors with increasing precision.
Defending against such threats requires a proactive approach that includes visibility, intelligence, and strong security practices. Leveraging platforms like IntelligenceX, along with robust internal defenses, can help organizations stay ahead of these evolving threats and minimize potential damage.
Top comments (0)