The Ukrainian Computer Emergencies Response Team has identified a sophisticated malware campaign by threat actor UAC-0247 targeting government and healthcare institutions to steal sensitive browser and messaging data.

Key Points

• Threat actor UAC-0247 targeted Ukrainian government and healthcare entities between March and April 2026 using humanitarian-themed phishing emails.
• The attack chain utilizes LNK files and the mshta.exe utility to deploy malicious payloads, including the AGINGFLY remote control tool and RAVENSHELL.
• Attackers employ specialized tools like ChromElevator and ZAPiXDESK to bypass encryption and extract credentials from Chromium browsers and WhatsApp.
• The campaign uses AI-generated websites and compromised legitimate sites to redirect victims toward malicious downloads.
• Evidence suggests the group also targeted Ukrainian Defense Forces via Signal by distributing ZIP archives that utilize DLL side-loading techniques.
• CERT-UA recommends restricting the execution of LNK, HTA, and PowerShell files to mitigate the risk of system compromise and data exfiltration.

Why it Matters

This campaign highlights a significant escalation in targeted cyber espionage against critical infrastructure and defense personnel using advanced, multi-stage malware. By focusing on credential theft from widely used browsers and messaging platforms, the attackers pose a severe risk to both operational security and the privacy of sensitive government communications.