UAC-0247 Attack Steals WhatsApp & Browser Data

Cyberattacks on healthcare and government sectors are becoming more targeted—and more dangerous.

A newly observed campaign tracked as UAC-0247 is actively targeting municipal governments and healthcare institutions, including hospitals and emergency services, with a focus on stealing browser credentials and WhatsApp data.

But this isn’t just data theft.

👉 The attackers are quietly moving inside networks, expanding access, and maintaining persistence—turning initial compromise into long-term control.

For SOC teams, CISOs, and incident responders, this campaign highlights a critical trend:
multi-stage attacks blending social engineering, living-off-the-land techniques, and modular malware.

What Is the UAC-0247 Campaign?

The UAC-0247 attack campaign is a targeted cyber operation focused on:

Government agencies
Healthcare institutions
Defense-related personnel

Key Objectives

Steal sensitive communication data
Harvest credentials from browsers
Conduct internal network reconnaissance
Maintain persistent access

Initial Access: Social Engineering at Scale

1. Deceptive Email Lures

Attackers initiate contact using:

Humanitarian aid-themed emails
Social engineering to build trust

2. Malicious Link Delivery

Victims are redirected to:

AI-generated fake websites
or
Legitimate websites with XSS vulnerabilities

3. Archive File Download

Clicking the link downloads a malicious archive
Appears legitimate to the user

Execution Chain: From Click to Compromise

Step-by-Step Attack Flow

User opens archive
Shortcut (LNK) file executes
Launches mshta.exe
Pulls remote HTA payload
Executes background process
Drops malicious executable via scheduled task

👉 All while a decoy interface distracts the user

Malware Arsenal Used in the Campaign

1. AGINGFLY (Core RAT)

A powerful remote access trojan with capabilities:

Command execution
File download/upload
Screenshot capture
Keylogging
In-memory execution

Unique Feature

Downloads command handlers dynamically
Compiles them on the victim machine

2. CHROMELEVATOR

Extracts browser credentials
Targets stored authentication data

3. ZAPIXDESK

Specifically targets WhatsApp data
Extracts communication and user data

4. SILENTLOOP (Persistence Mechanism)

PowerShell-based backdoor
Retrieves C2 IPs via Telegram
Supports fallback communication channels

5. Network Recon Tools

RUSTSCAN
Subnet scanners

Used for:

Internal network mapping
Lateral movement preparation

6. Tunneling Tools

LIGOLO-NG
CHISEL

Enable:

Hidden communication channels
Bypassing network defenses

7. Additional Payloads

XMRIG miner (cryptomining)
WireGuard abuse for stealth execution

Command-and-Control (C2) Communication

Uses WebSockets
Encrypted with AES-CBC
Static encryption key

Additional Access Methods

TCP reverse shell
RAVENSHELL (XOR-encrypted communication)

Real-World Impact

Healthcare Sector Risk

Exposure of patient data
Disruption to emergency services

Government Impact

Compromise of sensitive communications
Intelligence leakage

Defense Sector Exposure

Targeting of drone operators
Operational data theft

Why This Campaign Is Effective

1. Multi-Stage Attack Chain

Each stage designed to evade detection

2. Living-off-the-Land Techniques

Abuses legitimate tools:

mshta.exe
powershell.exe
wscript.exe

3. Modular Malware Design

Dynamic payload execution
Harder to detect via signatures

4. Encrypted C2 Channels

Obfuscates attacker communication

Common Mistakes Organizations Make

❌ Allowing Script Execution by Default

HTA, LNK, JS files remain enabled

❌ Overlooking Messaging Platforms

WhatsApp data not monitored or protected

❌ Weak Email Filtering

Malicious links bypass detection

❌ Lack of Network Visibility

Internal reconnaissance goes unnoticed

Best Practices to Defend Against UAC-0247

1. Restrict Script Execution

Block or limit:

LNK files
HTA files
JavaScript execution

2. Harden Endpoint Controls

Restrict use of:
- mshta.exe
- powershell.exe
- wscript.exe

3. Strengthen Email Security

Detect phishing attempts
Block malicious URLs

4. Monitor Network Activity

Detect scanning tools
Identify unusual lateral movement

5. Protect Communication Apps

Secure WhatsApp usage
Monitor data exfiltration

6. Implement Threat Detection

Use EDR/XDR solutions
Focus on behavioral indicators

Framework Alignment

MITRE ATT&CK

Initial Access: Phishing
Execution: Command & scripting interpreter
Persistence: Scheduled tasks
Exfiltration: Encrypted channels

NIST Cybersecurity Framework

Detect: Monitor anomalies
Protect: Endpoint hardening
Respond: Incident containment

Expert Insight: The Rise of Multi-Channel Data Theft

This campaign reflects a broader trend:

Attackers are targeting both enterprise systems and personal communication platforms simultaneously.

Strategic Takeaways

Data theft is no longer limited to corporate systems
Messaging apps are now high-value targets
Multi-layered defense is essential

FAQs

1. What is the UAC-0247 campaign?

A targeted cyberattack stealing browser and WhatsApp data from government and healthcare sectors.

2. What malware is used?

AGINGFLY, CHROMELEVATOR, ZAPIXDESK, and SILENTLOOP.

3. How does the attack start?

Through phishing emails and malicious links.

4. What data is targeted?

Browser credentials, WhatsApp data, and internal network information.

5. How can organizations defend against it?

By restricting scripts, monitoring endpoints, and strengthening email security.

6. Why is WhatsApp targeted?

Because it contains sensitive communications and is often less monitored.

Conclusion

The UAC-0247 attack campaign demonstrates how modern threat actors combine social engineering, modular malware, and legitimate tools to execute highly effective operations.

Key Takeaways

Multi-stage attacks are harder to detect
Messaging platforms are now prime targets
Endpoint and network visibility are critical

Organizations must adopt proactive, behavior-based security strategies to detect and stop threats before they escalate.