Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.
In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.
UAC-0247 Used Humanitarian Aid Lures as Entry Point
The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.
Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.
Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.
Also read: Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks
The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.
Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.
At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.
Persistent Access and Remote Control
To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:
- Command execution
- File exfiltration
- Screenshot capture
- Keylogging
Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.
Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.
Credential Theft and Lateral Movement
Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.
The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.
In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.
Military Targets Also in Scope
The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.
Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.
CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.
