New UAC-0247 campaign steals browser and WhatsApp data from hospitals and governments
5 min. read 
Published on
A new cyber campaign tied to the UAC-0247 threat cluster has targeted Ukrainian local governments and municipal healthcare organizations, including clinics and emergency hospitals. The operation focused on stealing data from Chromium-based browsers and WhatsApp, while also giving attackers room to move deeper into compromised networks.
The activity took place during March and April 2026, according to CERT-UA. Ukraine’s incident responders said the same cluster also appeared in attacks involving FPV drone operators, which suggests the campaign reached beyond civilian institutions and into sectors with direct wartime relevance.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The entry point was simple. Victims received emails framed as humanitarian aid discussions and were pushed to click a link that either led to an AI-built fake site or to a legitimate site abused through a cross-site scripting flaw. From there, the victim downloaded an archive that started the infection chain.
How the infection chain works
Once the archive was opened, a shortcut file launched the Windows HTA handler through mshta.exe, pulled a remote HTA file, and showed a decoy form while a background task dropped and ran the real payload. CERT-UA also described recent cases that used a two-stage loader, with the final payload compressed and encrypted before execution.
One confirmed case on March 10 used Signal to distribute a file named bachu.zip, which pretended to be an updated version of the BACHU software tool used by FPV operators. CERT-UA said the archive actually contained a DLL that launched AGINGFLY through DLL side-loading as soon as the main executable ran.
The campaign did more than steal files. CERT-UA linked UAC-0247 to CHROMELEVATOR for browser credential theft, ZAPIXDESK for WhatsApp theft, RUSTSCAN for internal network mapping, LIGOLO-NG and CHISEL for covert tunnels, and in one case an XMRIG miner loaded through a modified WireGuard program.
What AGINGFLY gives attackers
AGINGFLY appears to be the main remote access malware in this campaign. Reporting tied to the CERT-UA bulletin says it is written in C# and supports remote command execution, file download, screenshot capture, keylogging, and in-memory code execution, which gives operators both theft and long-term access.
A notable detail is how the malware extends itself after infection. Instead of carrying every command handler inside the main implant, AGINGFLY can fetch source code from its command server and compile that code directly on the infected machine, which gives the operators flexibility without constantly replacing the core malware.
Persistence also matters here. CERT-UA said the attackers used a PowerShell script called SILENTLOOP to run commands, refresh configuration, and pull updated command-and-control server addresses from a Telegram channel, while earlier-stage access could rely on a TCP reverse shell or RAVENSHELL with XOR-encrypted traffic.
Key technical elements at a glance
| Component | Reported role in the campaign |
|---|---|
| Phishing email | Starts the attack with a humanitarian aid lure |
| Fake or abused website | Delivers the malicious archive through an AI-built site or XSS-abused site |
| LNK + HTA chain | Launches the infection through mshta.exe and a remote HTA file |
| AGINGFLY | Main remote access malware used for control and collection |
| CHROMELEVATOR | Steals browser authentication data and stored credentials |
| ZAPIXDESK | Steals WhatsApp data |
| RUSTSCAN | Maps internal subnets and hosts |
| LIGOLO-NG / CHISEL | Creates covert tunnels for movement and access |
| SILENTLOOP | Maintains persistence and updates C2 information |
| XMRIG via patched WireGuard | Shows at least one case where monetization or resource abuse followed compromise |
The bigger issue is not just data theft. This campaign combines phishing, living-off-the-land execution, remote access, lateral movement, and persistence in one chain, which makes it dangerous for hospitals and public institutions that often rely on mixed software estates and limited security staff.
CERT-UA’s advice is direct. Organizations should restrict the execution of LNK, HTA, and JS files, and they should limit or closely control utilities such as mshta.exe, powershell.exe, and wscript.exe, because attackers keep abusing them to blend into normal Windows activity. Microsoft’s own Defender guidance supports that approach through attack surface reduction rules and application control policies aimed at risky script and executable behavior.
What defenders should do now
- Block or tightly restrict LNK, HTA, and JS execution where business operations allow it.
- Review and control the use of
mshta.exe,powershell.exe,wscript.exe, and similar script-capable utilities. - Hunt for unusual scheduled tasks, remote HTA retrieval, and outbound connections to newly observed IP addresses.
- Check endpoints for credential theft from Chromium browsers and for suspicious access to WhatsApp desktop data stores.
- Look for network scanning and tunneling activity tied to RUSTSCAN, LIGOLO-NG, and CHISEL.
FAQ
CERT-UA says the cluster targeted Ukrainian local governments and municipal healthcare institutions, including clinics and emergency hospitals. Related activity also touched FPV drone operators.
The reported focus includes authentication and stored data from Chromium-based browsers, plus data from WhatsApp through a dedicated theft tool called ZAPIXDESK.
The attack begins with a phishing lure, then pushes the victim to download an archive. Opening that archive starts a shortcut-and-HTA execution chain that launches the next stage and eventually loads AGINGFLY.
Because it does not stop at stealing credentials. CERT-UA linked the campaign to reconnaissance, covert tunneling, persistence scripts, and full remote access tooling, which means attackers can expand inside a network after the first compromise.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages