A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals.
The campaign has been attributed to threat cluster UAC-0247, known for advanced data theft, persistence, and lateral movement methods.
The attack chain begins with well-crafted phishing emails that appear to discuss humanitarian aid proposals. These emails typically contain links leading to malicious web resources.
In some cases, the threat actors create entire fake nonprofit websites using artificial intelligence, while in others, they exploit legitimate but vulnerable sites through cross-site scripting (XSS) to host malicious payloads.
Ukraine’s national Computer Emergency Response Team (CERT-UA) has alerted that between March and April 2026, a surge of targeted cyberattacks.
When victims click the link, an archive is downloaded containing a shortcut (.LNK) file. Opening this file triggers the mshta.exe utility, which processes an HTA script.
This script retrieves and executes remote content, displaying a decoy form to distract the user while silently deploying an executable (.EXE) payload via a scheduled task.
Encrypted Reverse Shells
Recent incidents show the use of a sophisticated two-stage loader. The second stage employs a proprietary executable format supporting custom code sections, dynamic imports, and relocation features.
The final payload heavily compressed and encrypted drops a TCP reverse shell known as RAVENSHELL.
This stager connects back to the attackers’ command server, encrypting its traffic using a 9-byte XOR key and sending an initial “Connected!” message before executing further commands through CMD.
Once a foothold is established, the malware deploys AGINGFLY, a C#-based remote administration tool designed for full control over the infected host.
It enables command execution, file transfer, screenshot capture, keylogging, and arbitrary code execution over encrypted web socket communication.
A distinguishing feature of AGINGFLY is its dynamic command system handlers are downloaded as source code from the command server and compiled at runtime.
CERT-UA also identified the use of a PowerShell script named SILENTLOOP, which manages ongoing C2 communication through Telegram channels and updates configuration parameters automatically.
This mechanism allows the attackers to maintain connectivity even if their primary infrastructure is disrupted.
Stealing Browser and WhatsApp Data
For data theft, the attackers employ two dedicated tools: CHROMELEVATOR to extract stored browser credentials and cookies, and ZAPIXDESK to exfiltrate WhatsApp data from desktop applications.
Analysis of multiple affected systems revealed additional reconnaissance and lateral movement using both custom subnet scanners and public tools like RUSTSCAN, with tunneling via LIGOLO-NG and CHISEL.
In one case, investigators found an XMRIG cryptocurrency miner running as a DLL, stealthily loaded through a patched version of the WIREGUARD VPN client.
CERT-UA advises organizations to restrict execution of LNK, HTA, and JS files, and to limit the use of scripting and administrative utilities like mshta.exe, powershell.exe, and wscript.exe.
Implementing these controls can significantly reduce exposure to the evolving activity linked to the UAC-0247 cluster a persistent threat now actively targeting healthcare and government infrastructure across Ukraine.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
