Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A New Malware Campaign Targets Ukrainian Clinics and Government Institutions with Advanced Data-Stealing Tactics



A new malware campaign has been discovered that targets Ukrainian clinics and government institutions, delivering malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The attack uses advanced tactics, including AI-generated content and a two-stage loader, to facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data. This campaign highlights the need for enhanced security measures and proactive monitoring to protect against evolving cyber threats.

  • Ukraine's CERT-UA has disclosed a new malware campaign targeting governments, municipal healthcare institutions, and delivering malware capable of stealing data from Chromium-based web browsers and WhatsApp.
  • The campaign uses an email message claiming to be a humanitarian aid proposal as the starting point of the attack chain.
  • The malware downloads and runs a Windows Shortcut file, which executes a remote HTML Application using the native Windows utility "mshta.exe".
  • The final payload is compressed and encrypted, and communicates with a management server to receive commands for execution on the host using TCP reverse shell.
  • Malware family AGINGFLY provides remote control of affected systems, communicating with a C2 server using WebSockets to fetch commands.
  • The attacks facilitate reconnaissance, lateral movement, theft of credentials and sensitive data from WhatsApp and Chromium-based browsers.
  • The campaign highlights the need for enhanced security measures and proactive monitoring in high-risk sectors such as healthcare and government institutions.



    • In a recent development, the Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new malware campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April 2026, has been attributed to a threat cluster dubbed UAC-0247. The origins of the campaign are presently unknown.

    The starting point of the attack chain is an email message claiming to be a humanitarian aid proposal, urging recipients to click on a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a bogus site created with help from artificial intelligence (AI) tools. Regardless of what the site is, the goal is to download and run a Windows Shortcut (LNK) file, which then executes a remote HTML Application (HTA) using the native Windows utility, "mshta.exe." The HTA file, for its part, displays a decoy form to divert the victim's attention, while simultaneously fetching a binary responsible for injecting shellcode into a legitimate process (e.g., "runtimeBroker.exe").

    At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of which is implemented using a proprietary executable file format (with full support for code and data sections, import of functions from dynamic libraries, and relocation), and the final payload is additionally compressed and encrypted. One of the stagers is a tool called TCP reverse shell or its equivalent, tracked as RAVENSHELL, which establishes a TCP connection with a management server to receive commands for execution on the host using "cmd.exe."

    Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP that comes with several functions to execute commands, auto-update configuration, and obtain the current IP address of the management server from a Telegram channel, and fall back to alternative mechanisms for determining the command-and-control (C2) address. Developed using C#, AGINGFLY is engineered to provide remote control of the affected systems. It communicates with a C2 server using WebSockets to fetch commands that allow it to run commands, launch a keylogger, download files, and run additional payloads.

    An investigation of about a dozen incidents has revealed that these attacks facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data from WhatsApp and Chromium-based browsers. This is accomplished by deploying various open-source tools, such as those listed below.

    The use of such tactics in this malware campaign highlights the evolving nature of cyber threats and the need for enhanced security measures to protect against them. It also underscores the importance of staying vigilant and proactive in monitoring for suspicious activity, particularly in high-risk sectors such as healthcare and government institutions.

    In addition, the fact that this campaign is targeting Ukrainian clinics and hospitals adds a layer of complexity and concern. The potential for malware campaigns to compromise sensitive data and disrupt critical services is a serious one, and it is essential that organizations take immediate action to bolster their defenses and mitigate the risks associated with such threats.

    Furthermore, the use of AI-generated content in this campaign is particularly noteworthy. This highlights the growing importance of incorporating artificial intelligence (AI) into cybersecurity solutions and strategies. As the landscape of cyber threats continues to evolve, it is crucial that organizations stay ahead of the curve by investing in cutting-edge technologies and tools that can help detect and prevent such attacks.

    In conclusion, the recent malware campaign attributed to the UAC-0247 threat cluster poses a significant threat to governments, healthcare institutions, and other critical sectors. The use of advanced data-stealing tactics and AI-generated content underscores the evolving nature of cyber threats and highlights the need for enhanced security measures and proactive monitoring. Organizations must take immediate action to bolster their defenses and mitigate the risks associated with such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-New-Malware-Campaign-Targets-Ukrainian-Clinics-and-Government-Institutions-with-Advanced-Data-Stealing-Tactics-ehn.shtml

  • https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html

  • https://thecyberexpress.com/cyberattacks-on-hospitals-by-uac-0247-hackers/

  • https://thehackernews.com/

  • https://www.pointwild.com/threat-intelligence/raven-stealer/

  • https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/

  • https://www.bleepingcomputer.com/news/security/new-agingfly-malware-used-in-attacks-on-ukraine-govt-hospitals/

  • https://aviatrix.ai/threat-research-center/agingfly-malware-ukraine-2026/


    • Published: Thu Apr 16 02:07:39 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us