[{"data":1,"prerenderedAt":125},["ShallowReactive",2],{"article-slug-uac-0247-espionage-campaign-targets-government-and-healthcare-in-ukraine":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":34,"sources":35,"events":46,"mitre_techniques":47,"mitre_mitigations":63,"d3fend_countermeasures":82,"iocs":91,"cyber_observables":92,"tags":113,"extract_datetime":117,"article_type":118,"impact_scope":119,"pub_date":123,"reading_time_minutes":124,"createdAt":117,"updatedAt":117},"aae9cf0e-0815-42e4-b302-905997150b6f","uac-0247-espionage-campaign-targets-government-and-healthcare-in-ukraine","UAC-0247 Espionage Campaign Targets Ukrainian Government and Healthcare with Data-Stealing Malware","CERT-UA Warns of UAC-0247 Cyber-Espionage Campaign Targeting Government and Healthcare in Ukraine","The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing cyber-espionage campaign by the threat actor UAC-0247. Active since March 2026, the campaign targets Ukrainian government bodies and healthcare facilities with phishing emails. The attack uses a multi-stage infection chain involving LNK and HTA files to deploy a data-stealing payload that injects into legitimate processes like RuntimeBroker.exe. The malware, similar to the RAVENSHELL backdoor, is designed to exfiltrate data from web browsers and the WhatsApp desktop application.","## Executive Summary\nThe Computer Emergency Response Team of Ukraine (**[CERT-UA](https://cert.gov.ua/)**) has issued an alert (CERT-UA#9240) detailing a targeted cyber-espionage campaign conducted by the threat actor group **UAC-0247**. Active from March to April 2026, the campaign has focused on Ukrainian government organizations and municipal healthcare facilities, including clinics and hospitals. The attackers use phishing lures, often themed around humanitarian aid, to trick victims into executing a malicious payload. The malware's primary objective is to steal sensitive data, specifically targeting information from Chromium-based web browsers and the **[WhatsApp](https://www.whatsapp.com/)** desktop application. The complex infection chain utilizes LNK and HTA files to ultimately inject a backdoor, similar to **RAVENSHELL**, into trusted system processes to evade detection.\n\n## Threat Overview\n**UAC-0247** is conducting a classic espionage operation with a focus on data exfiltration from specific, high-value targets within Ukraine. The choice of targets—government and healthcare—suggests a motive of gathering intelligence on government operations and the state of civilian services during a time of conflict.\n\nThe attack begins with a socially engineered phishing email. The email contains a link that, when clicked, downloads a ZIP archive. To enhance credibility, the attackers have been observed using AI-generated websites or exploiting XSS vulnerabilities on legitimate sites to host their malicious files. Inside the ZIP archive is a Windows Shortcut file (`.LNK`). This reliance on user execution of a file from an archive is a common and effective TTP.\n\n## Technical Analysis\nThe infection process is multi-staged, designed to bypass security controls and obfuscate the final payload.\n\n1.  **Phishing ([`T1566.002`](https://attack.mitre.org/techniques/T1566/002/) - Spearphishing Link):** The attack is initiated via a malicious link in a phishing email.\n2.  **User Execution ([`T1204.002`](https://attack.mitre.org/techniques/T1204/002/) - Malicious File):** The victim is tricked into extracting a ZIP archive and clicking on a malicious `.LNK` shortcut file.\n3.  **Command and Scripting Interpreter ([`T1059.001`](https://attack.mitre.org/techniques/T1059/001/) - PowerShell):** The LNK file executes a command, which in turn launches an HTA file. HTA files are often used to run scripts (like VBScript or JScript) that can download and execute further payloads.\n4.  **Scheduled Task/Job ([`T1053.005`](https://attack.mitre.org/techniques/T1053/005/)):** The HTA script creates a scheduled task to launch the main executable payload, establishing persistence and running with system privileges.\n5.  **Process Injection ([`T1055`](https://attack.mitre.org/techniques/T1055/)):** To evade detection by EDR and antivirus, the malware injects its malicious shellcode into a legitimate, trusted Windows process, `RuntimeBroker.exe`.\n6.  **Data from Local System ([`T1005`](https://attack.mitre.org/techniques/T1005/)):** The injected payload, a reverse TCP shell similar to **RAVENSHELL**, then begins its primary task: stealing data. It specifically targets credential files, cookies, and history from Chromium-based browsers and data from the local WhatsApp desktop client.\n7.  **Exfiltration Over C2 Channel ([`T1041`](https://attack.mitre.org/techniques/T1041/)):** The stolen data is exfiltrated back to an attacker-controlled command-and-control server.\n\n> The use of process injection into `RuntimeBroker.exe` is a notable defense evasion technique. As `RuntimeBroker.exe` is a legitimate Windows process that manages app permissions, its network activity might be considered normal by less sophisticated security tools, allowing the malware to blend in.\n\n## Impact Assessment\nThe impact of this campaign is primarily intelligence loss for the targeted Ukrainian entities. The theft of browser data can expose sensitive communications, usernames, passwords, and session cookies, allowing the attackers to access other government systems or personal accounts of employees. Stealing data from WhatsApp provides insight into real-time communications. This intelligence can be used for strategic advantage, to plan future attacks, or for disinformation purposes. For the healthcare facilities, the compromise of patient data or administrative systems could have serious consequences for their ability to provide care.\n\n## IOCs\nCERT-UA's advisory contains specific IOCs. While not listed in the summary articles, a full investigation would retrieve them from the official source.\n\n## Cyber Observables for Detection\n| Type | Value | Description | Context |\n| :--- | :--- | :--- | :--- |\n| file_name | `*.lnk` in `.zip` | The delivery mechanism involves tricking users into opening a LNK file from a ZIP archive. | Email security gateway logs, EDR file creation events. |\n| process_name | `mshta.exe` | The HTA file is executed by `mshta.exe`. This process spawning from an email or browser is suspicious. | EDR process lineage analysis. |\n| parent_process | `RuntimeBroker.exe` | Monitor for `RuntimeBroker.exe` making outbound network connections, which is atypical behavior. | EDR, firewall logs. |\n| command_line_pattern | `schtasks.exe /create` | Monitor for the creation of scheduled tasks by suspicious scripts or processes. | EDR, Windows Event ID 4698. |\n\n## Detection & Response\n**Detection Strategies:**\n*   **Attack Surface Reduction (ASR) Rules:** Enable Microsoft Defender ASR rules, specifically the rule that blocks script files like `.LNK` and `.HTA` from launching downloaded executable content.\n*   **Process Lineage Analysis:** Use an EDR to monitor process chains. A chain like `Outlook.exe` -> `mshta.exe` -> `powershell.exe` -> `schtasks.exe` is highly indicative of this attack.\n*   **D3FEND: [Process Analysis (D3-PA)](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis):** Specifically focus on the behavior of `RuntimeBroker.exe`. This process should not be making persistent outbound network connections or spawning other processes. Alert on any such behavior.\n\n**Response Actions:**\n1.  Isolate the compromised host from the network.\n2.  Investigate the user account for other signs of compromise.\n3.  Block the C2 domains/IPs identified during analysis at the network perimeter.\n4.  Reset passwords for the affected user and any services they accessed.\n\n## Mitigation\n**Strategic Controls:**\n*   **User Training ([`M1017`](https://attack.mitre.org/mitigations/M1017/)):** Train users to be suspicious of unsolicited emails, especially those with attachments or links, and to never open files from untrusted ZIP archives.\n*   **D3FEND: [Executable Denylisting (D3-EDL)](https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting):** Block the execution of script interpreters for file types that are not required for business purposes. For most users, `mshta.exe` (for HTA files) can be blocked entirely.\n*   **Email Security:** Implement an advanced email security gateway that can scan links and attachments, and sandbox potentially malicious files to detect threats before they reach the user's inbox.","CERT-UA warns of espionage campaign UAC-0247 targeting Ukrainian government & healthcare. Attackers use phishing with LNK/HTA files to deploy a backdoor that steals data from browsers and WhatsApp. 🇺🇦 #CyberWar #Ukraine #Espionage","The Ukrainian CERT has issued a warning about a cyber-espionage campaign from threat actor UAC-0247, targeting government and healthcare organizations with data-stealing malware.",[13,14,15],"Threat Actor","Phishing","Cyberattack","high",[18,22,25,28,31],{"name":19,"type":20,"url":21},"CERT-UA","government_agency","https://cert.gov.ua/",{"name":23,"type":24},"UAC-0247","threat_actor",{"name":26,"type":27},"RAVENSHELL","malware",{"name":29,"type":30},"WhatsApp","product",{"name":32,"type":33},"Ukraine","other",[],[36,42],{"url":37,"title":38,"date":39,"friendly_name":40,"website":41},"https://securityaffairs.com/161942/apt/uac-0247-expands-cyber-campaign-across-ukraine.html","From clinics to government: UAC-0247 expands cyber campaign across Ukraine","2026-04-17","Security Affairs","securityaffairs.com",{"url":43,"title":44,"date":39,"friendly_name":19,"website":45},"https://cert.gov.ua/article/6280370","(UAC-0247) Розповсюдження шкідливого програмного забезпечення з метою викрадення даних (CERT-UA#9240)","cert.gov.ua",[],[48,51,54,57,60],{"id":49,"name":50},"T1566.002","Spearphishing Link",{"id":52,"name":53},"T1204.002","Malicious File",{"id":55,"name":56},"T1053.005","Scheduled Task",{"id":58,"name":59},"T1055","Process Injection",{"id":61,"name":62},"T1005","Data from Local System",[64,69,78],{"id":65,"name":66,"description":67,"domain":68},"M1017","User Training","Train users to identify and report phishing emails and to be wary of executing files from ZIP archives.","enterprise",{"id":70,"name":71,"d3fend_techniques":72,"description":77,"domain":68},"M1038","Execution Prevention",[73],{"id":74,"name":75,"url":76},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting","Use Attack Surface Reduction (ASR) rules or application control policies to block the execution of potentially malicious script files like LNK and HTA.",{"id":79,"name":80,"description":81,"domain":68},"M1040","Behavior Prevention on Endpoint","Use an EDR to monitor for suspicious process chains (e.g., email client spawning a script host) and anomalous behavior from system processes like RuntimeBroker.exe.",[83,85],{"technique_id":74,"technique_name":75,"url":76,"recommendation":84,"mitre_mitigation_id":70},"The UAC-0247 attack chain relies on executing scripts via legitimate Windows interpreters like `mshta.exe` (for HTA files). Executable Denylisting, often implemented via Microsoft Defender Attack Surface Reduction (ASR) rules or AppLocker, is a powerful countermeasure. Specifically, organizations should implement policies to block or audit the execution of these interpreters for most users. For example, an ASR rule can block 'untrusted and unsigned processes that run from USB' or 'process creations originating from PSExec and WMI commands'. More aggressively, AppLocker can be configured to block `mshta.exe` entirely for all users who do not have a specific business need for it. This breaks the infection chain at an early stage, preventing the LNK file's command from successfully launching the HTA payload, thus neutralizing the threat before the final backdoor is even downloaded.",{"technique_id":86,"technique_name":87,"url":88,"recommendation":89,"mitre_mitigation_id":90},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","To evade detection, UAC-0247 injects its final payload into the legitimate `RuntimeBroker.exe` process. This makes signature-based detection impossible. The key is Process Analysis focused on behavior and lineage. An EDR solution should be configured with high-severity alerts for the following `RuntimeBroker.exe` anomalies: 1) Network Connections: `RuntimeBroker.exe` is designed to manage UWP app permissions and should almost never initiate its own outbound network connections. Any persistent TCP connection from this process should be considered highly suspicious. 2) Process Ancestry: While the malware injects into an existing process, a full attack chain analysis would show the parent process (e.g., `mshta.exe` or `powershell.exe`) that led to the injection. Monitoring for suspicious process chains like `Outlook.exe -> mshta.exe` is critical. 3) File Access: `RuntimeBroker.exe` should not be accessing user browser profiles or WhatsApp data directories. EDRs configured to monitor file access can detect this anomalous data gathering behavior. These behavioral analytics provide the necessary context to uncover the malicious activity hiding within a legitimate process.","M1049",[],[93,98,103,107],{"type":94,"value":95,"description":96,"context":97,"confidence":16},"process_name","mshta.exe","Execution of the Microsoft HTA application, often used to run malicious scripts. Its execution from an email client or browser is highly suspicious.","EDR process creation logs (Sysmon Event ID 1).",{"type":99,"value":100,"description":101,"context":102,"confidence":16},"command_line_pattern","schtasks.exe /create","The malware uses scheduled tasks for persistence. Monitor for new task creation by unexpected processes.","Windows Security Event Log (Event ID 4698), EDR command line logging.",{"type":94,"value":104,"description":105,"context":106,"confidence":16},"RuntimeBroker.exe","The malware injects into this legitimate process. Monitor for RuntimeBroker.exe making outbound network connections or spawning child processes.","EDR process and network logs, firewall logs.",{"type":108,"value":109,"description":110,"context":111,"confidence":112},"file_name","*.lnk","The initial execution vector is a malicious LNK file within a ZIP archive. Block or alert on LNK files originating from email attachments.","Email security gateway, EDR file creation events.","medium",[114,32,23,19,14,115,116],"Espionage","Healthcare","Government","2026-04-18T15:00:00.000Z","NewsArticle",{"geographic_scope":120,"countries_affected":121,"industries_affected":122},"national",[32],[116,115],"2026-04-18",6,1776724720227]