# UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign


A newly disclosed cyber-espionage campaign is pulling sensitive data from Ukrainian hospitals, emergency clinics, and government offices, with attackers using commodity-style malware to siphon credentials, browser artifacts, and WhatsApp session material from compromised endpoints. The Computer Emergency Response Team of Ukraine (CERT-UA) attributes the activity to a cluster it tracks as UAC-0247, a threat group whose operators blended phishing, lightweight loaders, and legitimate system utilities to quietly harvest data between March and April 2026. The campaign marks yet another reminder that healthcare providers, especially those operating in active conflict zones, remain one of the most consistently targeted verticals for state-aligned intrusion sets.


## Background and Context


CERT-UA published technical details this week describing a wave of intrusions aimed primarily at municipal healthcare institutions — notably outpatient clinics and emergency hospitals — alongside central and local government bodies. The targeting pattern mirrors a broader trend seen throughout the war in Ukraine, where medical infrastructure has been repeatedly hit by wiper operations, ransomware deployments, and data-theft intrusions tied to Russian-aligned actors. Unlike destructive campaigns that announce themselves with outages, UAC-0247's operation is defined by its quietness: the goal is to extract intelligence, not to disrupt care delivery.


The activity is significant for several reasons. First, healthcare organizations hold sensitive records that have direct strategic value in wartime, from staff credentials that reveal personnel affiliations to contact data that can be weaponized in follow-on social engineering. Second, clinics and emergency hospitals typically run lean IT operations, often with outdated endpoints and limited telemetry, making them attractive low-resistance targets. And third, the phishing vector at the heart of this campaign — lures disguised as administrative correspondence — continues to succeed even against users who have been repeatedly trained to spot them.


## Technical Details


According to CERT-UA's analysis, the infection chain begins with spear-phishing emails that carry archive attachments containing either a shortcut (LNK) file or an executable disguised with a benign-looking document icon. When a target executes the payload, a downloader stages follow-on components from attacker-controlled infrastructure, occasionally leveraging legitimate file-hosting or tunneling services to blend with normal outbound traffic.


The delivered malware is a composite toolkit built around information-theft functionality rather than long-term persistence. Its capabilities include:


  • Chromium browser data theft: The sample enumerates profiles for Chrome, Edge, Brave, Opera, and other Chromium-derived browsers, lifting saved credentials, cookies, autofill entries, and session tokens. Browser cookie theft in particular is a force multiplier — stolen session material allows attackers to bypass multi-factor authentication on webmail, collaboration suites, and cloud identity providers.
  • WhatsApp session exfiltration: The malware targets the WhatsApp Desktop application's local data directory, pulling session files that can be replayed on attacker-controlled endpoints to read ongoing conversations and even impersonate the victim. This is a notable focus given WhatsApp's role as an unofficial communication channel among Ukrainian government staff and medical personnel.
  • System reconnaissance: The implant collects hostname, domain membership, running process lists, and installed software inventories, which helps operators prioritize which boxes warrant deeper follow-on tooling.
  • Remote administration capabilities: In several cases, CERT-UA observed operators deploying legitimate remote management software — a technique consistent with the broader "living-off-trusted-software" pattern seen across Russian-aligned intrusion sets, where signed binaries provide persistence with minimal detection risk.

    • Command-and-control infrastructure observed in the campaign relies on a mix of newly registered domains and compromised hosting services. CERT-UA's advisory includes indicators of compromise (IOCs) covering file hashes, network indicators, and registry artifacts, which defenders can ingest directly into SIEM and EDR platforms.


    ## Real-World Impact


    The stakes of this campaign go beyond data loss. Stolen credentials and session tokens from healthcare staff can be pivoted into access to patient systems, administrative portals, and — crucially — government inboxes connected to the same individuals through shared municipal identity providers. In a country where many municipal employees wear overlapping hats across civil defense, emergency response, and healthcare coordination, one compromised endpoint can unlock visibility across multiple organizational boundaries.


    For patients, the immediate risk is exposure of personal and medical information, which can be used for targeted disinformation, coercion, or simple fraud. For institutions, there is reputational damage, regulatory exposure under Ukraine's alignment with GDPR-style data protection rules, and the operational cost of responding to an incident while continuing to deliver care. And for the broader allied community of healthcare CISOs watching this unfold, the campaign underscores how quickly techniques demonstrated in Ukraine migrate to other geographies and sectors.


    ## Threat Actor Context


    CERT-UA has not publicly tied UAC-0247 to a specific foreign intelligence service in this advisory, and the group does not yet have a well-established track record under that label. The tradecraft on display — archive-based phishing, Chromium stealer modules, abuse of legitimate remote-management utilities, and focus on Ukrainian government and medical targets — is consistent with the broader ecosystem of Russian-aligned activity that includes clusters such as UAC-0050, UAC-0006, and Gamaredon-related operators. Whether UAC-0247 is an independent crew, a contractor grouping, or a reorganization of existing personnel is a question CERT-UA has left open pending further analysis.


    What is clear is that the group's operational tempo is deliberate rather than opportunistic. The choice of healthcare and government in tandem, the timing during a period of intensified kinetic activity, and the emphasis on messaging platform compromise all suggest an intelligence-collection mission rather than financially motivated cybercrime.


    ## Defensive Recommendations


    Organizations — particularly healthcare providers and public-sector entities — should treat the CERT-UA advisory as an opportunity to tighten several control areas:


    1. Ingest the IOCs: Load CERT-UA's published hashes, domains, and IPs into EDR, SIEM, DNS filtering, and email gateways. Alert on any historical matches over the past 60 days.

    2. Harden browser security: Enforce policies that limit saved-password functionality on managed browsers, require hardware-backed credential storage where available, and monitor for abnormal access to browser profile directories.

    3. Protect WhatsApp Desktop: Restrict installation of WhatsApp Desktop on shared workstations, monitor access to its local data directory, and communicate the risk of using consumer messaging apps for sensitive official business.

    4. Control LNK execution: Block or prompt on LNK files delivered via email, disable automatic execution from archive extraction, and monitor for cmd.exe or powershell.exe parent-child relationships with shortcut files.

    5. Audit remote management tools: Inventory legitimate RMM software already in the environment, alert on unsanctioned installs, and ensure any tool that exposes remote access is protected by MFA and network segmentation.

    6. Reinforce phishing resilience: Refresh training with current lures rather than generic examples, and ensure reporting channels surface suspicious mail back to security teams quickly.


    ## Industry Response


    The disclosure has prompted renewed coordination among Ukraine's CERT community, sector-specific information-sharing groups, and Western intelligence partners who have been tracking related activity. Threat intelligence vendors are updating detection coverage for the staging chain and the stealer components, while messaging platform providers are expected to review their session-token handling in light of the ongoing abuse pattern. Healthcare ISACs in Europe and North America have circulated summaries of the CERT-UA bulletin, reflecting growing recognition that attacks demonstrated against Ukrainian clinics are not geographically confined for long.


    For defenders, the practical lesson is familiar but urgent: the attack surface that matters most is rarely the one making headlines. It is the clinic workstation with a saved browser password and an active WhatsApp session — and UAC-0247 understands that perfectly.


    ---


    **