UAC-0247

UAC-0247 is a threat cluster tracked by CERT-UA, previously tracked as UAC-0244. CERT-UA reported active campaigns by this cluster since early 2026, with activity observed during March and April 2026. The actor has targeted Ukraine, including local governments, municipal authorities, government entities, municipal healthcare institutions, clinical hospitals, emergency medical services, emergency hospitals, representatives of Ukraine’s Defense Forces, and FPV drone operators. CERT-UA stated that the origin of UAC-0247 remains unclear. The cluster has used phishing emails themed around humanitarian aid proposals or offers, as well as trojanized software delivery, to lure victims. In reported campaigns, links in phishing messages redirected victims to compromised legitimate websites, websites with embedded malicious scripts, or AI-generated fake websites, which then delivered archives containing malicious LNK files or ZIP archives. Execution chains included LNK-triggered HTA execution via mshta.exe, decoy HTA forms, scheduled-task persistence, EXE payloads that injected shellcode into legitimate processes such as RuntimeBroker.exe, DLL side-loading, and in some cases a backdoor capable of establishing a reverse shell to attacker-controlled infrastructure. CERT-UA also reported Signal-delivered archives masquerading as updated FPV drone operator software such as “BACHU.” UAC-0247 has been associated with malware and tooling including AGINGFLY, SILENTLOOP, RAVENSHELL, CHROMELEVATOR, ZAPIXDESK, SilentLoop, ChromeElevator, ZapixDesk, and in one case XMRIG. AGINGFLY is described as a C# remote access tool or backdoor that supports remote command execution, file download, screenshot capture, keylogging, arbitrary code execution, and theft of data from Chromium-based browsers and WhatsApp for Windows. CERT-UA reported that AGINGFLY communicates over WebSockets, encrypts traffic with AES-CBC using a static key, and dynamically retrieves command handlers from its C2 server as source code and compiles them at runtime. SILENTLOOP is a PowerShell persistence script that can execute commands, update configuration, and retrieve current C2 information from Telegram. RAVENSHELL or a TCP reverse shell has been used as a stager. The actor also used CHROMELEVATOR to steal browser credentials and other sensitive browser data, ZAPIXDESK to extract WhatsApp data, RustScan and basic subnet scanners for reconnaissance, and LIGOLO-NG and CHISEL for covert tunneling. CERT-UA reported that the cluster’s operations were primarily espionage-focused, involving theft of sensitive data, credential theft, reconnaissance, and lateral movement inside victim networks. In at least one case, compromised systems were also used for cryptocurrency mining via XMRIG.