Key Findings

• UAC-0247 conducted a targeted campaign against Ukrainian government agencies and municipal healthcare facilities between March and April 2026

• Attack chain begins with phishing emails posing as humanitarian aid proposals, using either AI-generated fake sites or legitimate sites compromised via XSS vulnerabilities

• Malware payload steals sensitive data from Chromium-based browsers and WhatsApp through multiple custom and open-source tools

• Evidence suggests Ukrainian Defense Forces personnel were also targeted via Signal with malicious ZIP archives

• Origins of the threat actor remain unknown

Background

CERT-UA identified a coordinated cyber campaign targeting critical Ukrainian infrastructure, particularly healthcare institutions and government bodies. The operation revealed a sophisticated multi-stage attack methodology designed to establish persistent access and exfiltrate sensitive credentials and communications data. The campaign's scope and targeting of defense-related personnel suggests a well-resourced threat actor with specific intelligence collection objectives.

Attack Chain and Initial Compromise

The campaign relies on social engineering as its entry point. Victims receive emails claiming to contain humanitarian aid proposals, complete with links designed to appear legitimate. When clicked, these links redirect to either compromised legitimate websites or AI-generated fake sites that closely mimic trusted sources.

The final destination delivers a Windows Shortcut file that triggers an HTA execution chain. The shortcut launches an HTML Application using Windows' native mshta.exe utility, which displays a decoy form to distract the victim. Meanwhile, the HTA silently executes a payload that injects shellcode into legitimate system processes like RuntimeBroker.exe.

Recent variants employ a two-stage loader architecture using a proprietary executable format with full support for code sections, data sections, and library imports. The final payload is compressed and encrypted to evade detection.

Malware Components and Capabilities

The attackers deployed several key malware families and tools to establish control and conduct espionage operations.

RAVENSHELL functions as an initial stager, establishing TCP connections with management servers while encrypting traffic using XOR encryption. It executes commands via cmd.exe and maintains persistence on infected systems.

AGINGFLY, a C# malware, serves as the primary remote access tool. It communicates with command servers via encrypted WebSockets using AES-CBC encryption. Notably, AGINGFLY doesn't store command functions locally. Instead, it downloads them from the server and compiles them on the fly, making detection significantly more difficult. The malware supports command execution, keylogging, file downloads, and arbitrary payload deployment.

SILENTLOOP, a PowerShell script, manages command execution, configuration updates, and C2 server address retrieval through Telegram channels with fallback mechanisms for resilience.

Data Theft Operations

The campaign employed both custom tools and open-source utilities to extract sensitive information from infected systems. ChromElevator was used to bypass Chromium's app-bound encryption protections, allowing attackers to harvest saved passwords and browser cookies. ZAPiXDESK, a forensic extraction tool, decrypted WhatsApp Web local databases to access messaging data.

Reconnaissance and lateral movement were facilitated through RustScan for network scanning, Ligolo-Ng and Chisel for establishing covert tunnels through compromised networks, and XMRig for cryptocurrency mining on hijacked systems.

Defense Force Targeting

Analysis revealed that Ukrainian Defense Forces personnel were targeted through a separate vector. Attackers distributed malicious ZIP archives via Signal that appeared to contain a fake "BACHU" tool. These archives leveraged DLL side-loading techniques to deploy AGINGFLY on victim machines, suggesting a focused intelligence collection effort against military personnel.

Recommended Mitigations

CERT-UA recommends restricting execution of file types commonly abused in these attacks, including LNK, HTA, and JS files. System administrators should also limit execution of legitimate Windows utilities frequently repurposed for malicious purposes, specifically mshta.exe, powershell.exe, and wscript.exe. These restrictions significantly reduce the attack surface without severely impacting standard operations.

Sources

• https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html

• https://securityaffairs.com/190875/apt/from-clinics-to-government-uac-0247-expands-cyber-campaign-across-ukraine.html

• https://x.com/shah_sheikh/status/2044669949227254116

• https://www.cypro.se/2026/04/16/uac-0247-targets-ukrainian-clinics-and-government-in-data-theft-malware-campaign/