{"id":45477,"date":"2026-04-16T18:36:46","date_gmt":"2026-04-16T10:36:46","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/uac-0247-targets-ukrainian-clinics-and-government-in-data-theft-malware-campaign\/"},"modified":"2026-04-16T18:36:46","modified_gmt":"2026-04-16T10:36:46","slug":"uac-0247-targets-ukrainian-clinics-and-government-in-data-theft-malware-campaign","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/uac-0247-targets-ukrainian-clinics-and-government-in-data-theft-malware-campaign\/","title":{"rendered":"UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign"},"content":{"rendered":"
\"UAC-0247<\/a><\/div>\n

The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed<\/a> details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp.<\/p>\n

The activity, which was observed between March and April 2026, has been attributed to a threat cluster dubbed UAC-0247<\/strong>. The origins of the campaign are presently unknown.<\/p>\n

According to CERT-UA, the starting point of the attack chain is an email message claiming to be a humanitarian aid proposal, urging recipients to click on a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a bogus site created with help from artificial intelligence (AI) tools.<\/p>\n

Regardless of what the site is, the goal is to download and run a Windows Shortcut (LNK) file, which then executes a remote HTML Application (HTA) using the native Windows utility, “mshta.exe.”The HTA file, for its part, displays a decoy form to divert the victim’s attention, while simultaneously fetching a binary responsible for injecting shellcode into a legitimate process (e.g., “runtimeBroker.exe”).<\/p>\n

<\/a> <\/p>\n

“At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of which is implemented using a proprietary executable file format (with full support for code and data sections, import of functions from dynamic libraries, and relocation), and the final payload is additionally compressed and encrypted,” CERT-UA said.<\/p>\n

One of the stagers is a tool called TCP reverse shell or its equivalent, tracked as RAVENSHELL, which establishes a TCP connection with a management server to receive commands for execution on the host using “cmd.exe.”<\/p>\n

Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP that comes with several functions to execute commands, auto-update configuration, and obtain the current IP address of the management server from a Telegram channel, and fall back to alternative mechanisms for determining the command-and-control (C2) address.<\/p>\n

Developed using C#, AGINGFLY is engineered to provide remote control of the affected systems. It communicates with a C2 server using WebSockets to fetch commands that allow it to run commands, launch a keylogger, download files, and run additional payloads.<\/p>\n

\"UAC-0247<\/a><\/div>\n

An investigation of about a dozen incidents has revealed that these attacks facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data from WhatsApp and Chromium-based browsers. Thisis accomplished by deploying various open-source tools, such as those listed below –<\/p>\n