Ukraine’s Computer Emergencies Response Team said a March to April 2026 campaign targeted government and municipal healthcare institutions, mainly clinics and emergency hospitals, and may also have reached Defense Forces personnel, using malware to steal data from Chromium-based browsers and WhatsApp.
KEY FACTS
- Target set Clinics, emergency hospitals and some government institutions in Ukraine.
- Initial lure Emails posed as humanitarian aid proposals and pointed victims to malicious or compromised websites.
- Observed tools The campaign used LNK files, HTA files, shellcode loaders and remote access malware.
- Data at risk The attack chain was used to steal browser credentials, WhatsApp data and other sensitive information.
- Defensive step The advisory recommends restricting LNK, HTA and JS files and common Windows scripting tools.
The disclosure from Ukraine’s CERT-UA said the activity was tied to a cluster tracked as UAC-0247, with the campaign’s origins still unknown. The first stage started with an email that urged recipients to click a link that redirected to either a compromised site or a fake site built with AI tools.
In both cases, the goal was to download and run a Windows Shortcut file that launched an HTA through mshta.exe. The HTA then showed a decoy form while fetching a second payload that injected shellcode into a legitimate process, including runtimeBroker.exe.
The report said some incidents used a two-stage loader and a final payload that was compressed and encrypted. Other components included a reverse shell called RAVENSHELL, the AGINGFLY remote access malware, and a PowerShell script named SILENTLOOP that could run commands, update configuration and locate command and control servers.
Investigators also found open-source tools used for reconnaissance, lateral movement and data theft, including ChromElevator, ZAPiXDESK, RustScan, Ligolo-Ng, Chisel and XMRig. In a separate line of attack, malicious ZIP files sent through Signal were designed to drop AGINGFLY using DLL side-loading.
WHY IT MATTERS
The campaign shows how common file types and trusted system utilities can be used together to deliver malware into sensitive organizations. The disclosure also highlights the risk to communications and authentication data stored in browsers and messaging apps, especially when users are persuaded to open files from phishing messages.