UAC-0247 Targets Ukrainian Hospitals With Data-Theft Malware

Ukraine's Computer Emergency Response Team has disclosed an active campaign targeting government agencies and healthcare facilities with custom malware designed to steal browser credentials and WhatsApp data. The threat cluster, tracked as UAC-0247, has focused heavily on clinics and emergency hospitals since March 2026.

The campaign employs multiple custom tools—AGINGFLY for remote access, CHROMELEVATOR for browser credential theft, and ZAPIXDESK for WhatsApp database exfiltration. Evidence suggests Ukrainian Armed Forces representatives may also have been targeted.

Attack Chain

UAC-0247 initiates attacks through phishing emails claiming to offer humanitarian aid. The social engineering is tailored to healthcare workers dealing with ongoing wartime pressures.

Recipients who click embedded links land on one of two destination types: legitimate websites compromised via cross-site scripting vulnerabilities, or convincing fake sites generated with AI tools. Both serve malicious Windows shortcut files (.LNK) that execute via mshta.exe.

The shortcut files fetch remote HTML Application (HTA) payloads that perform dual functions—displaying decoy humanitarian aid forms to maintain the ruse while silently injecting shellcode into the legitimate Windows process runtimeBroker.exe.

This process hollowing technique lets the malware operate within a trusted system process, evading security tools that monitor for suspicious executables.

AGINGFLY and Supporting Malware

AGINGFLY serves as the primary remote access tool. The C# backdoor communicates with command-and-control servers over encrypted WebSocket connections, providing operators with:

• Remote command execution
• Keylogging capabilities
• File upload and download
• Screenshot capture
• Deployment of additional payloads

SILENTLOOP handles persistence and C2 updates through PowerShell. The script retrieves updated command server addresses from Telegram channels, making infrastructure changes trivial for operators while complicating defender tracking.

CHROMELEVATOR specifically targets Chromium-based browsers, bypassing Application-Bound Encryption to extract saved passwords and session cookies. We've seen similar ABE bypass techniques gain popularity among infostealers this year.

ZAPIXDESK handles WhatsApp database decryption, extracting message history and contact information from desktop installations.

Additional Tools and Monetization

Beyond data theft, UAC-0247 operators deploy network reconnaissance and tunneling utilities:

• RustScan for network enumeration
• Ligolo-Ng for creating network tunnels
• Chisel for proxy connections

The attackers also deploy XMRig cryptocurrency miners on compromised systems, monetizing access while maintaining presence. This dual-purpose approach—espionage combined with cryptomining—has become common among threat actors seeking to maximize value from each compromise.

Targeting Healthcare

Healthcare remains a consistent target for threat actors during wartime. Hospitals manage sensitive patient data, operate under extreme pressure, and often lack robust security resources. The humanitarian aid lure exploits this context directly.

This campaign follows patterns we've tracked in Iranian attacks on critical infrastructure, where adversaries specifically target sectors under stress. Ukrainian medical facilities have faced relentless cyber pressure since the 2022 invasion began.

CERT-UA has not attributed UAC-0247 to a specific nation-state, though the targeting profile aligns with Russian operational priorities. The use of Telegram for C2 updates and AI-generated phishing sites suggests operators with moderate technical sophistication.

Why This Matters

Healthcare sector attacks during active conflict raise serious humanitarian concerns. Disrupting emergency hospitals or exposing patient data compounds existing wartime pressures. The WhatsApp exfiltration component suggests interest in personal communications beyond clinical data.

For organizations outside Ukraine, the techniques merit attention. The ABE bypass tools, process hollowing methods, and Telegram-based C2 updates represent reusable capabilities that may appear in other campaigns. Security teams should ensure endpoint detection covers mshta.exe abuse and monitor for unexpected WebSocket connections from browser or system processes.

Recommendations

Organizations in healthcare and government sectors should:

1. Filter mshta.exe execution - Block or monitor execution of HTA files from internet sources
2. Review Telegram access - The platform's use for C2 updates makes it a potential indicator
3. Deploy browser credential monitoring - Detect attempts to access Chrome's encryption keys or credential stores
4. Train staff on targeted phishing - Humanitarian aid themes require specific awareness training

CERT-UA continues monitoring UAC-0247 activity and will publish additional indicators as the investigation develops.