{"id":613,"date":"2026-04-16T07:40:31","date_gmt":"2026-04-16T07:40:31","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=613"},"modified":"2026-04-16T07:40:31","modified_gmt":"2026-04-16T07:40:31","slug":"uac-0247-targets-ukrainian-clinics-and-government-in-data-theft-malware-campaign","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=613","title":{"rendered":"UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 16, 2026<\/span><\/span>Malware \/ Threat Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The Computer Emergencies Response Team of Ukraine (CERT-UA)\u00a0has disclosed<\/a> details of a new\u00a0campaign that has\u00a0targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and\u00a0WhatsApp.<\/p>\n

The activity,\u00a0which was\u00a0observed between March and April 2026, has been attributed to a threat cluster\u00a0dubbed UAC-0247<\/strong>. The\u00a0origins of the campaign are presently\u00a0unknown.<\/p>\n

According to CERT-UA, the starting point of the attack chain is an email message claiming to be a humanitarian aid proposal, urging recipients to click on a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a bogus site created with help from artificial intelligence (AI)\u00a0tools.<\/p>\n

Regardless\u00a0of what the\u00a0site is, the goal is to download and run a Windows Shortcut (LNK) file, which then executes a remote HTML Application (HTA) using the native Windows\u00a0utility, \u00abmshta.exe.\u00bbThe HTA file, for its part, displays a decoy form to divert the victim’s\u00a0attention, while simultaneously fetching a\u00a0binary responsible for\u00a0injecting shellcode into a legitimate process (e.g., \u00abruntimeBroker.exe\u00bb).<\/p>\n

<\/p>\n

\u00abAt the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of\u00a0which is implemented using a proprietary executable file format (with full support for code and data sections, import of functions from dynamic libraries, and relocation), and the final payload is additionally compressed and encrypted,\u00bb CERT-UA\u00a0said.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

One of the stagers is a tool called TCP reverse shell or its equivalent, tracked as RAVENSHELL, which establishes a TCP connection with a management server to receive\u00a0commands for\u00a0execution on the host using \u00abcmd.exe.\u00bb<\/p>\n

Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP that comes with several functions to execute commands, auto-update configuration, and obtain the current IP address of the management server from a Telegram channel, and fall back to alternative mechanisms for determining the command-and-control (C2)\u00a0address.<\/p>\n

Developed using C#,\u00a0AGINGFLY is engineered to provide remote control of the affected systems. It\u00a0communicates with a C2 server using WebSockets to fetch commands that allow it to run commands, launch a keylogger, download files, and run additional\u00a0payloads.<\/p>\n

\"\"<\/a><\/div>\n

An investigation of about a dozen incidents has revealed that these attacks facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data from WhatsApp and Chromium-based\u00a0browsers. Thisis accomplished by deploying various open-source tools, such as those listed below\u00a0–<\/p>\n