Ukrainian Hospitals and Governments: UAC-0247 Data Theft Campaign

Ukraine's Computer Emergency Response Team (CERT-UA) has confirmed a surge of targeted cyberattacks against Ukrainian local governments and municipal healthcare institutions, including clinical and ambulance hospitals, attributed to threat cluster UAC-0247. The campaign, active between March and April 2026, focused on browser credential harvesting and WhatsApp data theft, leveraging encrypted reverse shells and a C#-based remote administration tool for full endpoint control.

What Happened

Between March and April 2026, UAC-0247 operators executed a coordinated phishing campaign targeting Ukrainian municipal bodies and healthcare providers. Victims received carefully crafted emails themed around humanitarian aid proposals, which linked to malicious web resources. In some instances, attackers stood up entirely fake nonprofit websites generated with AI tooling; in others, they exploited cross-site scripting (XSS) flaws in legitimate but vulnerable third-party sites to host their payloads. Clicking the link delivered an archive containing an .LNK shortcut that, when opened, invoked mshta.exe to execute a remote HTA script, displaying a decoy form while silently staging an executable via a scheduled task.

What Was Taken

The campaign's primary objective was exfiltration of sensitive user data from compromised endpoints. UAC-0247 specifically targeted browser-stored credentials, session cookies, and saved authentication tokens, as well as WhatsApp desktop data, which can include message history, contacts, and media. Given the victim profile of municipal hospitals and local government offices, the stolen material likely includes internal administrative credentials, patient coordination data, and communications tied to healthcare logistics and emergency response operations.

Why It Matters

This campaign demonstrates continued pressure on Ukraine's civilian infrastructure, with a deliberate focus on healthcare organizations whose disruption carries immediate life-safety implications. The use of AI-generated fake nonprofit websites raises the bar for user-level detection, and the shift to runtime-compiled command handlers via AGINGFLY means conventional signature-based defenses are unlikely to catch post-exploitation activity. For defenders outside Ukraine, the tradecraft on display, particularly Telegram-based C2 and dynamically compiled command handlers, is readily portable to other threat actors targeting the healthcare and public sector verticals.

The Attack Technique

The intrusion chain begins with humanitarian-aid phishing lures leading to a downloaded archive with an .LNK file. Execution triggers mshta.exe against a remote HTA script, which deploys an executable payload through a scheduled task. A two-stage loader follows, with the second stage using a proprietary executable format that supports custom code sections, dynamic imports, and relocations. The final payload drops RAVENSHELL, a TCP reverse shell that encrypts traffic using a 9-byte XOR key and issues a "Connected!" beacon before executing commands via CMD. Operators then deploy AGINGFLY, a C# remote administration tool offering command execution, file transfer, screenshot capture, keylogging, and arbitrary code execution over encrypted WebSocket channels, with command handlers downloaded as source and compiled at runtime. A PowerShell component, SILENTLOOP, maintains backup C2 through Telegram channels and updates configuration automatically.

What Organizations Should Do

Block or tightly restrict execution of mshta.exe and .LNK files originating from email attachments, downloads, or unmounted archives via AppLocker or WDAC policies.
Hunt for scheduled tasks created by unusual parent processes, anomalous outbound TCP traffic with XOR-obfuscated payloads, and WebSocket connections to untrusted domains.
Monitor for PowerShell processes making outbound connections to Telegram API endpoints (api.telegram.org) from workstations, especially in healthcare and government environments.
Train staff, particularly hospital administrative and grants personnel, to treat unsolicited humanitarian aid or nonprofit outreach with heightened skepticism and verify senders out-of-band.
Enforce browser credential protection (disable password autofill where possible, require OS-level credential stores) and rotate WhatsApp Desktop sessions on any suspected compromised host.
Review CERT-UA's advisory at cert.gov.ua/article/6288271 for current indicators of compromise and apply detections for RAVENSHELL, AGINGFLY, and SILENTLOOP artifacts.

Sources: UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft