Healthcare systems and government institutions are increasingly becoming prime targets for advanced cyber espionage groups. A recent campaign attributed to UAC-0247 has triggered serious concern after targeting hospitals and municipal agencies across Ukraine, focusing on stealing sensitive browser credentials and WhatsApp communications.
Between March and April 2026, the group launched a highly coordinated attack chain combining phishing emails, fake humanitarian portals, and multi-stage malware deployment designed for stealth and persistence.
For cybersecurity teams, this campaign reinforces a critical reality:
👉 Modern attackers don’t just breach systems—they infiltrate communication channels and extract identity-level data.
In this article, you’ll learn:
- How UAC-0247 attacks hospitals and governments
- The malware chain behind browser and WhatsApp data theft
- Real-world tools used in the campaign
- Risks to critical infrastructure
- Best practices to defend against similar threats
What Is the UAC-0247 Attack Campaign?
Overview of the Threat Group
UAC-0247 is an advanced threat actor conducting targeted cyberattacks against:
- Hospitals and clinical infrastructure
- Municipal and government agencies
- Defense-related organizations
Primary Objectives
The campaign focuses on:
- Credential theft from browsers
- WhatsApp data extraction
- Lateral movement inside networks
- Long-term persistence
How the Attack Works
Step-by-Step Infection Chain
- Phishing Email Delivery
- Disguised as humanitarian aid proposals
- Targets hospital and government staff
- Malicious Link Clicked
- Redirects to compromised legitimate websites
- Some pages use AI-generated fake portals
- Payload Download
- Victim downloads a compressed archive
- Contains malicious LNK shortcut file
- Execution Chain Triggered
- LNK file launches HTA script
- Decoy form displayed to avoid suspicion
- Scheduled task executes payload
- System Compromise
- Shellcode injected into
RuntimeBroker.exe
- Shellcode injected into
Inside the Malware Toolset
Browser Credential Theft – CHROMELEVATOR
This tool:
- Extracts saved credentials from Chromium-based browsers
- Bypasses built-in browser protections
- Harvests authentication data silently
WhatsApp Data Extraction – ZAPIXDESK
- Decrypts local WhatsApp Web databases
- Extracts private chats and session data
- Targets healthcare and government communication
Network Reconnaissance Tools
Attackers use:
- RUSTSCAN → Subnet discovery
- LIGOLO-NG → Reverse tunneling
- CHISEL → Encrypted network pivoting
Advanced Persistence Techniques
DLL Side-Loading Attacks
- Malware hides inside legitimate applications
- Example: modified WIREGUARD client
- Loads malicious DLL at runtime
Backdoor Deployment
- AGINGFLY backdoor installed via DLL injection
- Enables remote access and control
Cryptocurrency Mining Abuse
- XMRIG miner deployed in some cases
- Runs hidden within compromised systems
Targeting Critical Infrastructure
Healthcare Sector Risk
Hospitals are heavily impacted due to:
- High-value patient data
- Emergency system dependency
- Limited downtime tolerance
Government Targeting
Municipal systems are attacked for:
- Identity data
- Administrative access
- Internal communications
Military Targeting
CERT-UA also reported:
- Fake drone software updates (“BACHU”)
- Delivered via Signal messaging
- Used to deploy AGINGFLY backdoor
Why This Attack Is Highly Dangerous
1. Multi-Layer Infection Chain
Combines phishing, XSS, HTA, and scheduled tasks.
2. Cross-Platform Data Theft
Targets:
- Browsers
- Messaging apps
- System credentials
3. Living-off-the-Land Techniques
Abuses legitimate tools like:
- PowerShell
- mshta.exe
- wscript.exe
4. AI-Generated Deception
Fake websites built using AI increase trust and credibility.
Common Mistakes That Enable These Attacks
1. Trusting External Links in Emails
Especially those referencing humanitarian or urgent topics.
2. Allowing Execution of Script Files
LNK and HTA files are commonly overlooked.
3. Weak Endpoint Monitoring
Credential theft often goes undetected.
4. Overexposure of Messaging Platforms
WhatsApp Web and Telegram are often unsecured in enterprise environments.
Best Practices to Defend Against UAC-0247
Immediate Security Controls
- Block execution of:
.LNKfiles.HTAscripts.JSfiles
System Hardening
- Restrict or disable:
mshta.exepowershell.exewscript.exe
Network Monitoring
- Detect unusual outbound traffic
- Monitor Telegram channel connections
- Identify unknown IP communications
Endpoint Protection
- Detect DLL side-loading attempts
- Monitor credential dumping behavior
- Enforce application control policies
Expert Security Insights
Healthcare Is a Prime Target
Because of:
- Sensitive patient data
- Operational urgency
- Legacy system exposure
Credential Theft Is the Real Goal
Attackers are no longer just deploying ransomware—they are:
👉 Extracting long-term access credentials
AI Is Accelerating Deception
Fake portals and emails are increasingly AI-generated, making phishing harder to detect.
Framework Mapping
MITRE ATT&CK
| Tactic | Technique |
|---|---|
| Initial Access | Phishing Link |
| Execution | LNK / HTA Execution |
| Persistence | Scheduled Task |
| Credential Access | Browser Credential Dumping |
| Exfiltration | Encrypted Channels |
| Defense Evasion | DLL Side-Loading |
NIST Cybersecurity Framework
- Identify healthcare and government assets
- Protect endpoints and email systems
- Detect abnormal execution chains
- Respond to credential theft incidents
- Recover compromised systems
FAQs
1. What is the UAC-0247 campaign?
A cyberattack targeting hospitals and governments to steal browser and WhatsApp data using multi-stage malware.
2. What data is being stolen?
- Browser credentials
- WhatsApp messages
- System authentication data
3. How does the attack start?
Through phishing emails disguised as humanitarian aid messages.
4. Which industries are targeted?
Healthcare, government, and defense organizations.
5. What tools do attackers use?
CHROMELEVATOR, ZAPIXDESK, RUSTSCAN, CHISEL, and LIGOLO-NG.
6. How can organizations defend themselves?
By blocking script execution, hardening endpoints, and monitoring network anomalies.
Conclusion
The UAC-0247 cyberattack campaign highlights a dangerous evolution in modern cyber warfare:
👉 Attackers are no longer just breaking into systems—they are extracting communication identity and operational trust.
By combining phishing, malware chaining, and advanced lateral movement tools, the group demonstrates how quickly critical infrastructure can be compromised.
Key takeaway:
Defending healthcare and government systems requires more than perimeter security—it demands behavioral detection, strict execution control, and continuous monitoring.
Now is the time to:
- Restrict risky file execution
- Strengthen endpoint visibility
- Monitor credential theft patterns
👉 Because in modern cyberattacks, the first click often becomes the point of full compromise.
