UAC-0247 Cyberattack Targets Ukrainian Hospitals and Government Entities
A sophisticated cyberattack campaign, identified as UAC-0247, has been actively targeting Ukrainian local governments and healthcare institutions since early 2026. The campaign focuses on stealing sensitive data from internet browsers and WhatsApp, while also conducting stealthy network reconnaissance to expand its reach.
Initial Attack Vector:
The attack begins with deceptive emails crafted to appear as humanitarian aid discussions. These emails contain links that, when clicked, lead the recipient to either a fabricated website created using artificial intelligence tools or a legitimate third-party site with a Cross-Site Scripting (XSS) vulnerability. Clicking the link results in the download of an archive file. Upon opening this archive, a shortcut file activates the standard HTA file processing tool, which then retrieves and executes a remote HTA file. This process distracts the victim with a decoy form while a background task deploys and runs an executable file through a scheduled task.
Targeted Entities:
CERT-UA analysts have documented this activity as part of an intensified wave of cyberattacks recorded during March and April 2026. The same threat cluster has also targeted representatives of Ukraine’s Defense Forces and FPV drone operators. In one confirmed incident on March 10, 2026, an archive named bachu.zip was distributed via the Signal messenger, masquerading as an updated version of the BACHU software tool used by FPV operators. This archive contained a DLL file that launched the AGINGFLY malware through a DLL side-loading technique upon execution of the main executable.
Malware and Tools Utilized:
The campaign employs a variety of tools to achieve its objectives:
– CHROMELEVATOR: Extracts authentication data and other stored credentials from internet browsers.
– ZAPIXDESK: Specifically designed to steal data from the WhatsApp messenger application.
– Network Scanners: Basic subnet scanners and the publicly available RUSTSCAN tool are used to map out internal networks.
– Tunneling Tools: LIGOLO-NG and CHISEL are deployed to establish hidden network tunnels.
– Cryptocurrency Miner: In some cases, the XMRIG miner is used, packaged as a DLL and loaded through a patched version of the legitimate WIREGUARD program.
AGINGFLY Malware:
At the core of this campaign is the AGINGFLY remote access tool, written in C#. It provides the attacker with comprehensive remote control capabilities, including command execution, file downloading, screenshot capture, keylogging, and in-memory code execution. Notably, AGINGFLY’s command handlers are not embedded within the malware itself; instead, they are downloaded from the command-and-control (C2) server as source code and compiled on the fly within the infected system. Communication with the C2 server is conducted through web sockets, with all traffic encrypted using the AES-CBC algorithm with a static key.
Persistence Mechanisms:
To maintain a persistent presence, the campaign utilizes a PowerShell script named SILENTLOOP. This script automatically executes commands, updates its configuration, and retrieves the latest C2 server IP address from a Telegram channel. If the primary Telegram source is unavailable, SILENTLOOP supports backup mechanisms to locate the C2 address. The initial access stage employs either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server.
Implications and Recommendations:
The UAC-0247 campaign underscores the evolving sophistication of cyber threats targeting critical infrastructure. Organizations, especially those in the healthcare and government sectors, must remain vigilant and implement robust cybersecurity measures. This includes regular security training for staff, updating and patching systems promptly, and employing advanced threat detection and response solutions to mitigate the risk of such attacks.
