Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Exposing the Deceptive Tactics of UAC-0247: A Comprehensive Analysis of the Advanced Persistent Threat



A new advanced persistent threat (APT) group has been identified as targeting Ukrainian government entities and municipal healthcare facilities with malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The attackers' tactics include phishing email campaigns, shellcode injection, and the use of reverse shells. This article provides a comprehensive analysis of UAC-0247's campaign, highlighting the group's sophisticated tools and techniques, as well as the ongoing espionage risks posed by this threat.

  • UAC-0247 is an advanced persistent threat (APT) group targeting Ukrainian government entities and municipal healthcare facilities.
  • The group launched a phishing email campaign in March 2026, using AI-generated fake websites or exploiting vulnerable sites to steal sensitive data.
  • The attackers' malware uses a two-stage loader with custom executable format to deliver a compressed and encrypted payload.
  • Recent variants employ shellcode injection into legitimate processes to maintain persistence on compromised devices.
  • The group uses reverse shells, subnet scanners, RUSTSCAN, and covert tunnels (LIGOLO-NG and CHISEL) to gather intelligence and move laterally across networks.
  • The use of these tools poses ongoing espionage risks and highlights the importance of proactive security measures.



    • The cyber landscape is a constantly evolving environment, with threat actors continually adapting and innovating their tactics to evade detection and exploit vulnerabilities. In recent months, a new player has emerged in this arena: UAC-0247, an advanced persistent threat (APT) group that has been targeting Ukrainian government entities and municipal healthcare facilities with alarming regularity.

    According to CERT-UA, a leading cybersecurity agency, UAC-0247's campaign began in March 2026, with the group launching a phishing email campaign aimed at stealing sensitive data from Chromium-based browsers and WhatsApp. The attackers' modus operandi is to pose as humanitarian aid organizations, using AI-generated fake websites or exploiting legitimate sites vulnerable to cross-site scripting (XSS) attacks.

    The attack gains traction when an unsuspecting victim clicks on the link, which then sets off a chain reaction of events designed to compromise their device and exfiltrate sensitive data. The attackers' malware is sophisticated, utilizing a two-stage loader with a custom executable format to deliver a compressed and encrypted payload.

    Recent variants of UAC-0247 have employed more aggressive tactics, including the use of shellcode injection into legitimate processes like RuntimeBroker.exe. This allows the attackers to maintain a persistent presence on compromised devices, making it even more challenging for security teams to detect and respond to the threat.

    One of the most intriguing aspects of UAC-0247's campaign is its use of a reverse shell, often similar to RAVENSHELL, which establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands. This allows the attackers to maintain a high degree of control over compromised devices, making it difficult for security teams to understand the scope of the attack.

    In addition to its malware capabilities, UAC-0247 has also been observed using more sophisticated tools, including subnet scanners and RUSTSCAN, to gather intelligence on potential targets. The group has also created covert tunnels using LIGOLO-NG and CHISEL, allowing it to move laterally across networks with ease.

    The use of these tools and tactics has raised concerns about the ongoing espionage risks posed by UAC-0247. As one expert noted, "To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe." This advice highlights the importance of vigilance and proactive security measures in preventing attacks like those carried out by UAC-0247.

    In conclusion, the tactics and techniques employed by UAC-0247 represent a significant threat to cybersecurity, particularly in the context of Ukraine's ongoing conflicts. As this threat continues to evolve, it is essential that security teams remain vigilant and adapt their defenses accordingly.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Exposing-the-Deceptive-Tactics-of-UAC-0247-A-Comprehensive-Analysis-of-the-Advanced-Persistent-Threat-ehn.shtml

  • https://securityaffairs.com/190875/apt/from-clinics-to-government-uac-0247-expands-cyber-campaign-across-ukraine.html

  • https://thecyberexpress.com/cyberattacks-on-hospitals-by-uac-0247-hackers/

  • https://cyberwebspider.com/the-hacker-news/cyber-campaign-targets-ukraine/

  • https://breach-hq.com/threat-actors

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://cyberpress.org/apt37-hackers-abusing-group-chats/

  • https://gbhackers.com/chollima-apt-hackers/

  • https://cybersecuritynews.com/apt36-hacker-group-attacking-linux-systems/

  • https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html

  • https://attack.mitre.org/groups/G0016/

  • https://westoahu.hawaii.edu/cyber/global-weekly-exec-summary/north-korean-hackers-attack-using-powershell/

  • https://cybersecuritynews.com/north-korean-hackers-using-dropbox-powershell-scripts/

  • https://github.com/Nicocha30/ligolo-ng

  • https://www.hackingarticles.in/a-detailed-guide-on-ligolo-ng/

  • https://attack.mitre.org/groups/


    • Published: Thu Apr 16 06:43:06 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us