A recent disclosure from CERT-UA has exposed a coordinated cyber operation targeting Ukraine’s public sector. The campaign, labeled UAC-0247, focuses on compromising healthcare and government systems through a combination of phishing, malware deployment, and data exfiltration techniques.
This operation underscores how attackers are shifting towards hybrid attack models that blend social engineering with technical exploitation.
Phishing as the Entry Vector
The campaign starts with emails posing as humanitarian aid communications. These messages include links that redirect victims to either compromised websites or AI-generated phishing pages.
The goal is to trick users into downloading a malicious LNK file, which initiates the attack chain.
Multi-Stage Malware Execution
The LNK file triggers an HTA script executed via mshta.exe. While the user sees a harmless interface, the system is being infected in the background.
The malware injects code into legitimate processes, ensuring stealth. Advanced versions deploy encrypted payloads through a custom loader.
Command and Control Infrastructure
RAVENSHELL establishes remote access, while AGINGFLY provides full control over the infected system. SILENTLOOP ensures resilience by dynamically updating C2 infrastructure.
Data Exfiltration Techniques
Attackers extract browser credentials, cookies, and WhatsApp data. Tools are used to bypass encryption and access sensitive information.
Role of Threat Intelligence
Platforms like IntelligenceX help organizations identify exposed infrastructure and malicious domains.
Using IntelligenceX, security teams can proactively detect threats and reduce attack surfaces.
Final Thoughts
The campaign demonstrates the need for proactive cybersecurity strategies and better visibility into attack infrastructure.
Top comments (0)