The growing sophistication of cyber threats is no longer limited to data breaches or financial fraud. The recently uncovered UAC-0247 campaign demonstrates how attackers are now focusing on disrupting and infiltrating real-world systems, including healthcare and government infrastructure. According to CERT-UA, this operation specifically targeted Ukrainian institutions with a carefully engineered multi-stage malware campaign designed for persistence and data extraction.
Active during March and April 2026, the campaign reflects a broader trend where cyber operations are becoming more strategic, stealthy, and impactful. The attackers behind UAC-0247 used a blend of social engineering, exploitation of trusted platforms, and advanced malware techniques to achieve their objectives.
The Human Element: Phishing as the Weakest Link
At the core of this campaign lies a simple but highly effective tactic: phishing. Attackers sent emails disguised as humanitarian aid proposals, a theme chosen to evoke urgency and trust. In high-pressure environments, such messages are more likely to bypass skepticism.
The email contains a link that redirects victims to either a compromised legitimate website or a fake page created using AI tools. By exploiting cross-site scripting vulnerabilities in legitimate sites, attackers can inject malicious content without raising suspicion.
This stage is critical because it relies entirely on user interaction. Once the victim clicks the link and downloads the file, the attack chain begins.
Breaking Down the Attack Chain
The downloaded file is typically a Windows shortcut (LNK). While it appears harmless, it serves as the entry point for the malware.
When executed, the LNK file triggers βmshta.exe,β a legitimate Windows utility, to run a remote HTML Application (HTA). This technique is widely used because it blends malicious activity with normal system behavior.
The HTA file displays a decoy interface to keep the user distracted while it downloads additional payloads in the background. These payloads inject shellcode into trusted processes like runtimeBroker.exe, allowing the malware to operate undetected.
More advanced versions of the attack use a two-stage loader system. The second stage is implemented using a custom executable format that supports dynamic execution. The payload is encrypted and compressed, making it difficult to analyze.
Establishing Long-Term Control
Once the system is compromised, attackers establish persistence using a reverse shell known as RAVENSHELL. This tool creates a communication channel between the infected system and a remote command server.
In addition, the AGINGFLY malware family is deployed. This component provides attackers with full control over the system, enabling them to execute commands, capture keystrokes, and transfer files.
The PowerShell-based SILENTLOOP module ensures continuous communication by retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms, making the malware resilient to disruptions.
Data Theft and Expansion
The primary goal of the campaign is to extract sensitive data. Attackers target browser-stored credentials, cookies, and session tokens from Chromium-based browsers. They also use tools to access WhatsApp Web data, giving them insight into private communications.
Beyond data theft, attackers perform reconnaissance and lateral movement within the network. This allows them to expand their reach and compromise additional systems.
In some cases, cryptocurrency mining tools have been observed, suggesting that financial gain may be a secondary objective.
The Need for Better Visibility
One of the biggest challenges in defending against such attacks is the lack of visibility into exposed systems and malicious infrastructure. Traditional security tools often fail to detect these threats because they rely on known signatures.
This is where platforms like IntelligenceX become highly valuable. IntelligenceX provides insights into exposed assets, malicious domains, and attacker infrastructure, helping organizations identify threats before they escalate.
By leveraging IntelligenceX, security teams can monitor suspicious activity, analyze patterns, and take proactive measures to reduce risk.
Mitigation Strategies
Organizations should restrict the execution of LNK, HTA, and script-based files. Limiting access to tools like mshta.exe and PowerShell can significantly reduce the attack surface.
User education is also critical. Employees should be trained to recognize phishing attempts and avoid interacting with suspicious emails.
Conclusion
The UAC-0247 campaign highlights the evolving nature of cyber threats. Organizations must move beyond reactive security measures and adopt proactive, intelligence-driven strategies to protect their systems.
Top comments (0)