16.04.2026
4 min
237
A new wave of cyberattacks targeting healthcare institutions and government agencies has been recorded in Ukraine. The UAC-0247 group uses complex, multi-level infection chains to steal data from browsers and messengers, including WhatsApp.
Ukrainian health care facilities and other public services continue to be targeted by a growing number of sophisticated cyberattacks. Facilities affected most included emergency departments and many healthcare centers. According to CERT-UA, these attacks were part of a larger effort to deploy malware designed to obtain user credentials for users of chromium based web browsers and the popular messaging service WhatsApp.
This specific campaign took place between March and April of 2026. Although this activity has been attributed to a previously known (UAC-0247) threat actor group; the true identity of this group remains currently unknown.
These attacks start with an attacker sending a phishing email. The attacker describes the email as if they are offering free humanitarian aid. If the victim clicks on the provided link, the victim will end up on either a hacked legitimate website due to cross-site scripting (XSS) vulnerabilities or a false website made possible by artificial intelligence.
Regardless of how the victims ultimately end up on one of these websites; once there, the overall intent is to force the victims to download a .lnk file. When downloaded and executed, this file launches the Windows system utility called mshta.exe. In turn, this tool executes an .hta file which creates what appears to be a legitimate form in order to distract the user while the malicious code continues to operate in the background.
At this point, things become even more complicated. The malware then inserts shell-code into legitimate running processess, including runtimeBroker.exe. This action helps prevent detection. Additionally, recent campaigns have used a two-stage loader. The first stage executes and downloads a second stage which is in a native executable format and supports function imports, separates code and data. Finally, the last payload can be further compressed and encrypted. “In addition, recent campaigns have noted the use of a two-stage loader…”
Once the attackers have gained access to the systems, they begin installing additional tools. Some of the identified tools included:
RAVENSHELL – TCP reverse shell for executing remote commands using cmd
AGINGFLY – malware written in C# giving the attackers complete control over the operating system
SILENTLOOP – PowerShell script allowing the attackers to manage commands and receive C2 via telegram
Of particular interest, AGINGFLY uses WebSockets to send and receive messages from its command-and-control (C2) server. With AGINGFLY, the attackers can issue commands, activate a key logger, retrieve files and load new modules.
The investigation found that these attacks did not stop at gaining access to a facility’s computer systems. They also demonstrated active engagement in performing internal network discovery and reconnaissance, moving throughout their newly compromised infrastructure and stealing sensitive data. Specifically, their initial interests were in accounts and sensitive data from both chromium based web browsers and WhatsApp.
To accomplish this, some third-party applications are being employed:
ChromElevator- allows you to bypass chromium’s protection and extract cookies/passwords
ZAPiXDESK- allows you to decrypt your local whatsapp web database
RustScan – fast network scanner
ligolong (tunneling) application
chisel- tcp/udp tunneling application
xmrig – cryptocurrency miner
cert.ua also indicates that the defense forces of ukraine may be among those who will be targeted. this has been verified through instances in which malicious zip archives were distributed through the signal messaging service. inside these archives were files that would launch AGINGFLY via dll sideloading.
