U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

From clinics to government: UAC-0247 expands cyber campaign across Ukraine

CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp. CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive […]

UAC-0247

CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp.

CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The origin of the threat actor remains unclear, raising concerns about ongoing espionage risks.

The attack begins with a phishing email posing as a humanitarian aid proposal, prompting the victim to click a link. To appear credible, attackers may use AI-generated fake websites or exploit legitimate sites vulnerable to XSS attacks.

Clicking the link downloads an archive containing a shortcut file that triggers an HTA execution chain. This retrieves a remote HTA file showing a decoy form while silently launching an EXE via a scheduled task.

The malware injects shellcode into legitimate processes like RuntimeBroker.exe. Recent variants use a two-stage loader with a custom executable format, delivering a compressed and encrypted payload. A reverse shell, often similar to RAVENSHELL, establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands.

“A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server, encrypting traffic using 9-byte XOR (key: “01 01 02 03 74 15 04 FF EE”; during the first connection, an XOR-encrypted message “Connected!” is transmitted), as well as executing commands using CMD.” reads the report published by CERT-UA.

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

AGINGFLY is a C# malware used to remotely control infected computers. It can run commands, download files, take screenshots, log keystrokes, and execute code. It communicates with its control server via encrypted web sockets using AES-CBC. Unlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.

CERT-UA experts analyzed multiple incidents, discovering that attackers stole credentials from browsers using CHROMELEVATOR and from WhatsApp via ZAPIXDESK, while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN, and create covert tunnels using LIGOLO-NG and CHISEL. In one case, an XMRIG miner was deployed via a modified WIREGUARD executable. Targets include Ukrainian Defense personnel, with malware spread through a fake “BACHU” tool shared on Signal, leveraging DLL side-loading to deploy AGINGFLY.

“To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe, the necessity of which has been repeatedly emphasized in the context of reducing the attack surface by using standard operating system protection mechanisms.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)