Meta Description
The UAC-0247 cyber campaign targets government and healthcare sectors, stealing browser credentials and WhatsApp data using advanced malware. This analysis explains how the attack works and what organizations must do now.
Introduction
Modern cyber espionage campaigns are increasingly focused on data extraction rather than disruption. Instead of deploying ransomware or destructive payloads, attackers are quietly infiltrating systems to harvest credentials, communications, and sensitive operational data.
A newly uncovered campaign attributed to UAC-0247 reflects this shift. Targeting government agencies and healthcare institutions, this operation combines phishing, multi-stage malware, and specialized data extraction tools to conduct large-scale surveillance and intelligence gathering.
What makes this campaign particularly dangerous is its ability to operate silently within legitimate processes while extracting highly sensitive data from browsers and messaging platforms like WhatsApp.
What Happened
Ukraine’s national CERT (CERT-UA) disclosed a coordinated cyber campaign active between March and April 2026, targeting:
- Government organizations
- Municipal healthcare institutions
- Emergency hospitals
The attackers deployed malware specifically designed to:
- Steal data from Chromium-based browsers
- Extract information from WhatsApp desktop applications
The origin of the threat actor remains unclear, but the campaign shows signs of a well-organized espionage operation.
Why This Attack Is Different
This campaign is not focused on immediate impact, it is designed for:
- Long-term access
- Credential harvesting
- Intelligence gathering
Unlike traditional attacks, UAC-0247:
- Uses multi-stage loaders and custom malware formats
- Blends into legitimate system processes
- Prioritizes stealth and persistence over speed
This makes detection significantly more difficult and allows attackers to remain inside networks for extended periods.
How the Attack Chain Works
The UAC-0247 campaign follows a multi-stage infection chain.
Phishing Email Delivery
Victims receive emails disguised as humanitarian aid proposals, encouraging them to click malicious links.
Malicious Website Redirection
Links redirect to:
- Compromised legitimate websites (via XSS)
- Fake sites generated using AI tools
LNK File Execution
A ZIP archive is downloaded containing a malicious shortcut (LNK) file, which triggers execution when opened.
HTA Payload Execution
The LNK file launches mshta.exe, which executes a remote HTML Application (HTA) while displaying a decoy form.
Payload Deployment and Injection
A secondary payload injects shellcode into legitimate processes such as runtimeBroker.exe, allowing stealth execution.
Command and Control Communication
The malware establishes communication with attacker infrastructure using:
- WebSockets
- TCP reverse shells
- Telegram-based fallback mechanisms
Understanding AGINGFLY Malware
At the core of this campaign is a custom backdoor called AGINGFLY.
This malware:
- Is written in C#
- Provides full remote control over infected systems
- Supports modular functionality and dynamic updates
Capabilities include:
- Command execution
- Keylogging
- File exfiltration
- Screenshot capture
- Deployment of additional payloads
Its modular design allows attackers to adapt behavior in real time, making it highly flexible and difficult to analyze.
How Data Is Stolen
The primary goal of this campaign is data exfiltration.
Attackers use specialized tools such as:
ChromElevator
- Extracts cookies and saved credentials
- Bypasses Chromium browser encryption protections
ZAPiXDESK
- Decrypts WhatsApp desktop databases
- Extracts sensitive communication data
These tools allow attackers to gain access to:
- Login credentials
- Session tokens
- Private communications
Common Techniques Used in the Campaign
The UAC-0247 operation combines multiple advanced techniques.
Phishing and Social Engineering
Humanitarian-themed emails increase user trust.
Living-Off-the-Land Techniques
Abuse of legitimate tools such as:
- mshta.exe
- PowerShell
- wscript.exe
Fileless Execution
Payloads are executed in memory to avoid detection.
Credential Harvesting
Browser and messaging data are extracted using specialized tools.
Lateral Movement and Reconnaissance
Tools like RustScan and tunneling utilities enable network expansion.
Encrypted Command and Control
Multiple communication channels ensure resilience.
Why This Campaign Is Dangerous
This campaign introduces several critical risks.
Stealthy Operation
Malware runs within legitimate processes, avoiding detection.
High-Value Data Targeting
Focus on credentials and communications rather than disruption.
Multi-Stage Architecture
Layered payloads make analysis and response difficult.
Resilient Infrastructure
Fallback C2 mechanisms ensure persistence.
Because the attack prioritizes data over visibility, organizations may remain compromised without realizing it.
Who Is Being Targeted
The campaign primarily targets:
- Government agencies
- Healthcare institutions
- Emergency response organizations
- Defense-related personnel
These sectors are high-value due to their access to sensitive operational and strategic information.
Potential Impact on Organizations
If successful, this campaign can lead to:
- Credential compromise and account takeover
- Exposure of sensitive communications
- Intelligence gathering and espionage
- Lateral movement across networks
- Long-term persistent access
Because messaging platforms like WhatsApp are involved, attackers can gain insight into internal and external communications.
What Organisations Should Do Now
Organizations must take immediate defensive measures.
Recommended actions include:
- Restrict execution of LNK, HTA, and script files
- Limit use of tools like mshta.exe and PowerShell
- Implement strong email filtering and phishing detection
- Enforce multi-factor authentication
- Monitor access to browser and messaging data
Reducing initial access vectors is critical.
Detection and Monitoring Strategies
Security teams should monitor for:
- Execution of LNK files from user directories
- mshta.exe activity
- Unusual access to browser credential stores
- WhatsApp database access anomalies
- Suspicious outbound connections
Behavior-based detection is essential due to the stealthy nature of the attack.
The Role of Penetration Testing
Penetration testing can help identify exposure to this type of campaign.
Testing should include:
- Phishing simulation exercises
- Credential harvesting scenarios
- Endpoint detection validation
- Lateral movement simulations
These exercises help organizations understand real-world attack paths.
Key Takeaway
The UAC-0247 campaign highlights a growing trend in cyber threats, where attackers focus on stealthy data exfiltration rather than immediate disruption. By targeting browser credentials and messaging platforms like WhatsApp, threat actors can gain deep visibility into organizational operations.
Organizations must prioritize identity security, endpoint monitoring, and user awareness to defend against this evolving class of espionage-driven cyberattacks.
