Ukrainian cyber defenders warned of an intensified campaign by threat cluster UAC-0247 targeting hospitals, emergency services, municipal bodies, and defense-linked users with phishing lures disguised as humanitarian aid. Attackers deploy multi-stage loaders, custom executable formats and backdoors like AGINGFLY—alongside tools such as SILENTLOOP and RAVENSHELL—to gain persistent remote control, steal credentials, and deploy cryptominers. #UAC-0247 #AGINGFLY
Keypoints
- CERT-UA reported a spike in attacks between March and April 2026 linked to UAC-0247.
- Phishing emails posing as humanitarian aid deliver malicious LNK files that abuse Windows tools to execute remote code.
- Attackers use multi-stage loaders, encrypted payloads, scheduled tasks, and process injection to evade detection.
- AGINGFLY and SILENTLOOP provide persistent remote control and dynamic command retrieval, while RAVENSHELL-like shells enable encrypted C2.
- Credential theft (CHROMELEVATOR, ZAPIXDESK), tunneling tools (LIGOLO-NG, CHISEL), and trojanized software enable lateral movement and monetization like XMRIG mining.
Read More: https://thecyberexpress.com/cyberattacks-on-hospitals-by-uac-0247-hackers/