UAC-0247 Threat Actor Deploys Data-Stealing Malware Against Ukrainian Targets

Executive Summary

The Computer Emergency Response Team of Ukraine (CERT-UA) has attributed a new, ongoing malware campaign to the threat actor tracked as UAC-0247. According to the agency, the group is targeting Ukrainian government bodies and municipal healthcare institutions, including clinics and emergency hospitals, with phishing emails designed to deploy data-stealing malware. The primary objective is the theft of sensitive information from Chromium-based web browsers and the WhatsApp desktop application.

Technical Analysis

The campaign, observed between March and April 2026, initiates with phishing emails containing malicious Microsoft Office documents. While the exact initial infection vector is not detailed in the public CERT-UA report, historical tactics from similar groups suggest the use of macro-laden documents or template injection to execute a malicious payload. The final-stage malware is a data stealer capable of extracting credentials, cookies, autofill data, and browsing history from Chromium-based browsers like Google Chrome, Microsoft Edge, and Opera. It also targets the local databases of the WhatsApp desktop client to exfiltrate message history and contact lists. The malware's command-and-control (C2) infrastructure and specific binary names were not publicly disclosed by CERT-UA in the initial advisory, limiting independent verification of the technical specifics.

Tactics, Techniques & Procedures

Based on the CERT-UA disclosure, the campaign employs the following TTPs aligned with the MITRE ATT&CK framework:

• Initial Access (TA0001): Likely spearphishing attachment (T1566.001) with malicious Office documents.
• Execution (TA0002): User execution of malicious documents, potentially via scripts or exploited applications.
• Persistence (TA0003): Technique not specified in the public summary.
• Collection (TA0009): Data from local system (T1005) targeting specific application data stores for browsers and WhatsApp.
• Exfiltration (TA0010): Likely uses command and control channels (TA0011) to transfer stolen data. The lack of detailed public reporting makes it uncertain if the malware employs advanced evasion, privilege escalation, or lateral movement techniques.

Threat Actor Context

UAC-0247 is a threat actor designation used by CERT-UA. The group's origins, affiliations, and motivations are not explicitly stated in this report. However, the targeting pattern—focusing on Ukrainian government and critical civilian infrastructure like healthcare—is consistent with activity historically linked to Russian-aligned advanced persistent threat (APT) groups. The objective of harvesting credentials and communications data suggests an intelligence-gathering or espionage operation, potentially to support further intrusions or gain situational awareness. It is unclear if UAC-0247 is a newly identified group or a sub-cluster of a known APT like Gamaredon, Shuckworm, or UNC3810.

Mitigations & Recommendations

CERT-UA recommends that Ukrainian organizations, particularly in the government and healthcare sectors, implement heightened security measures. General mitigations applicable to this threat include:

1. User Training: Train users to identify and report spearphishing attempts, especially unsolicited emails with attachments.
2. Application Hardening: Disable Office macros from the internet and use Microsoft's Attack Surface Reduction rules to block Office processes from creating child processes.
3. Endpoint Protection: Deploy and maintain endpoint detection and response (EDR) solutions capable of detecting credential access and data exfiltration behaviors.
4. Browser & Application Security: Use dedicated, secure profiles for sensitive work, enable browser security features, and consider application allowlisting.
5. Network Monitoring: Monitor outbound traffic for connections to unknown or suspicious domains, which may indicate C2 communication or data exfiltration.
6. Incident Response: Have an incident response plan ready and establish contact with CERT-UA for support and to share relevant threat data.