A newly uncovered cyber espionage operation has raised concerns after Ukraine’s national cybersecurity authority, Computer Emergency Response Team of Ukraine, revealed a coordinated malware campaign aimed at government institutions and healthcare facilities. The attacks primarily focus on clinics and emergency hospitals, with the objective of stealing highly sensitive data.
Attack Timeline and Threat Actor Profile
Security analysts observed this activity between March and April 2026. The campaign has been linked to a previously unidentified threat cluster known as UAC-0247. At present, investigators have not confirmed the origin or affiliations behind this group, making attribution difficult.
How the Attack Begins
The attack chain starts with deceptive phishing emails disguised as humanitarian aid proposals. These messages attempt to persuade recipients to click on embedded links.
Once clicked, users are redirected to either:
- A legitimate website compromised through a Cross-Site Scripting (XSS) flaw
- A fake website generated using artificial intelligence tools
In both scenarios, the ultimate goal is to trick victims into downloading a malicious Windows shortcut file.
Malware Execution Process
After download, the malicious file triggers a multi-stage infection process:
- A Windows Shortcut (LNK) file executes an HTML Application using the built-in Windows tool mshta.exe
- The HTA file displays a decoy form to distract the user
- Meanwhile, a hidden payload injects malicious shellcode into legitimate system processes such as RuntimeBroker.exe
This technique helps attackers evade detection while maintaining persistence inside the compromised system.
Advanced Payload Delivery and Tools
CERT-UA reports that some attacks utilize a sophisticated two-stage loader system. The final payload is both compressed and encrypted, enhancing stealth.
Key malware and tools involved in the campaign include:
- RAVENSHELL
A reverse TCP shell that connects to a remote server and executes commands via cmd.exe - AGINGFLY
A C#-based malware that enables full remote control, including command execution, file downloads, and keylogging - SILENTLOOP
A PowerShell script capable of:- Executing commands
- Updating configurations automatically
- Retrieving command-and-control server IPs from Telegram
Data Theft and Network Exploitation
Analysis of multiple incidents confirms that attackers aim to:
- Conduct system reconnaissance
- Move laterally across networks
- Steal credentials and sensitive information
The campaign specifically targets data from:
- Chromium-based browsers
- WhatsApp accounts
To achieve this, attackers deploy several open-source tools:
- ChromElevator for bypassing browser encryption and extracting cookies and passwords
- ZAPiXDESK to decrypt WhatsApp Web data
- RustScan for rapid network scanning
- Ligolo-Ng for tunneling connections
- Chisel to route traffic over TCP or UDP
- XMRig for unauthorized cryptocurrency mining
Expansion to Military Targets
Investigators believe that members of Ukraine’s defense sector may also be affected. This conclusion is based on evidence showing the distribution of malicious ZIP files through the Signal platform. These files use DLL side-loading techniques to deploy AGINGFLY malware.
Mitigation and Security Recommendations
To reduce exposure to this threat, CERT-UA advises organizations to limit execution of potentially dangerous file types and tools, including:
- LNK, HTA, and JavaScript files
- System utilities like PowerShell and Windows Script Host
Strengthening endpoint security, monitoring suspicious activity, and restricting unnecessary script execution can significantly lower the risk.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
