From clinics to government: UAC-0247 expands cyber campaign across Ukraine

CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp.

CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The origin of the threat actor remains unclear, raising concerns about ongoing espionage risks.

The attack begins with a phishing email posing as a humanitarian aid proposal, prompting the victim to click a link. To appear credible, attackers may use AI-generated fake websites or exploit legitimate sites vulnerable to XSS attacks.

Clicking the link downloads an archive containing a shortcut file that triggers an HTA execution chain. This retrieves a remote HTA file showing a decoy form while silently launching an EXE via a scheduled task.

The malware injects shellcode into legitimate processes like RuntimeBroker.exe. Recent variants use a two-stage loader with a custom executable format, delivering a compressed and encrypted payload. A reverse shell, often similar to RAVENSHELL, establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands.

“A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server, encrypting traffic using 9-byte XOR (key: “01 01 02 03 74 15 04 FF EE”; during the first connection, an XOR-encrypted message “Connected!” is transmitted), as well as executing commands using CMD.” reads the report published by CERT-UA.

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

AGINGFLY is a C# malware used to remotely control infected computers. It can run commands, download files, take screenshots, log keystrokes, and execute code. It communicates with its control server via encrypted web sockets using AES-CBC. Unlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.

CERT-UA experts analyzed multiple incidents, discovering that attackers stole credentials from browsers using CHROMELEVATOR and from WhatsApp via ZAPIXDESK, while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN, and create covert tunnels using LIGOLO-NG and CHISEL. In one case, an XMRIG miner was deployed via a modified WIREGUARD executable. Targets include Ukrainian Defense personnel, with malware spread through a fake “BACHU” tool shared on Signal, leveraging DLL side-loading to deploy AGINGFLY.

“To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe, the necessity of which has been repeatedly emphasized in the context of reducing the attack surface by using standard operating system protection mechanisms.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)