CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp.

CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The origin of the threat actor remains unclear, raising concerns about ongoing espionage risks.

The attack begins with a phishing email posing as a humanitarian aid proposal, prompting the victim to click a link. To appear credible, attackers may use AI-generated fake websites or exploit legitimate sites vulnerable to XSS attacks.

Clicking the link downloads an archive containing a shortcut file that triggers an HTA execution chain. This retrieves a remote HTA file showing a decoy form while silently launching an EXE via a scheduled task.

The malware injects shellcode into legitimate processes like RuntimeBroker.exe. Recent variants use a two-stage loader with a custom executable format, delivering a compressed and encrypted payload. A reverse shell, often similar to RAVENSHELL, establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands.

“A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server, encrypting traffic using 9-byte XOR (key: “01 01 02 03 74 15 04 FF EE”; during the first connection, an XOR-encrypted message “Connected!” is transmitted), as well as executing commands using CMD.” reads the report published by CERT-UA.

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

AGINGFLY is a C# malware used to remotely control infected computers. It can run commands, download files, take screenshots, log keystrokes, and execute code. It communicates with its control server via encrypted web sockets using AES-CBC. Unlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.

CERT-UA experts analyzed multiple incidents, discovering that attackers stole credentials from browsers using CHROMELEVATOR and from WhatsApp via ZAPIXDESK, while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN, and create covert tunnels using LIGOLO-NG and CHISEL. In one case, an XMRIG miner was deployed via a modified WIREGUARD executable. Targets include Ukrainian Defense personnel, with malware spread through a fake “BACHU” tool shared on Signal, leveraging DLL side-loading to deploy AGINGFLY.

“To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe, the necessity of which has been repeatedly emphasized in the context of reducing the attack surface by using standard operating system protection mechanisms.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)

Phishing remains one of the most effective tactics in the cybercriminal playbook, particularly when attackers exploit urgent humanitarian themes, trusted online resources, and legitimate system tools to increase victim engagement. Europol also notes that phishing continues to serve as a primary delivery vector for data-stealing malware. This pattern is clearly reflected in the latest activity tracked by CERT-UA, where threat actors used humanitarian-aid themed lures and multi-stage malware delivery to target Ukrainian organizations.

In a CERT-UA article, researchers described a UAC-0247 campaign targeting local self-government bodies, communal healthcare institutions, and likely representatives of Ukraine’s Defense Forces. The operation ultimately deployed AGINGFLY and related malicious tools, combining phishing, deceptive web delivery, and abuse of legitimate Windows utilities to establish access and support follow-on compromise.

CERT-UA’s latest reporting highlights another wave of phishing-driven intrusions targeting Ukraine’s civilian and potentially defense-adjacent sectors. In the campaign described in the article, attackers used humanitarian-aid themed emails to lure victims into opening malicious content that eventually deployed AGINGFLY, a malware family associated with remote access, credential theft, and follow-on post-compromise activity. The observed targets included local self-government bodies, communal healthcare institutions, including clinical and emergency hospitals, and likely individuals connected to FPV drone operations.

Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0247 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.

Security teams can search the Threat Detection Marketplace using the “UAC-0247” tag to identify relevant detections and monitor related content updates. Cyber defenders can also rely on Uncoder AI to convert raw threat intelligence into performance-optimized queries, document and improve rule logic, and generate Attack Flows based on the latest CERT-UA reporting.

Explore Detections

Analyzing UAC-0247 Attacks Delivering AGINGFLY via Humanitarian-Themed Phishing Lures

According to CERT-UA, the attack chain began with phishing emails disguised as humanitarian aid proposals. Victims were prompted to click a link that redirected either to a legitimate website compromised through cross-site scripting (XSS) or to a fake website generated with AI tools. In both scenarios, the objective was to persuade the victim to download and open an archive containing a malicious LNK file.

Once launched, the shortcut file abused mshta.exe to retrieve and execute a remote HTA file. The HTA displayed a decoy form to distract the victim while simultaneously downloading an executable that injected shellcode into a legitimate process, such as RuntimeBroker.exe. CERT-UA also noted that more recent stages of the campaign relied on a two-stage loader, with the second stage using a proprietary executable format and the final payload additionally compressed and encrypted to complicate detection and analysis.

Among the next-stage components identified in the campaign were RAVENSHELL, which acted as a reverse-shell style stager, SILENTLOOP, a PowerShell-based tool capable of executing commands and obtaining command-and-control data, and AGINGFLY, the primary malware family used in the operation. CERT-UA-linked reporting indicates that AGINGFLY is designed for remote control, data theft, and follow-on compromise activity.

The campaign also supported credential theft, reconnaissance, and lateral movement. Investigators observed the use of tooling to extract data from Chromium-based browsers, access messaging-related data, scan internal networks, and tunnel traffic across compromised environments. In one of the investigated cases, forensic evidence suggested that representatives of Ukraine’s Defense Forces may have been targeted using malicious ZIP archives distributed via Signal and designed to deploy AGINGFLY through DLL side-loading.

To reduce exposure to this activity, CERT-UA recommends restricting the execution of risky file types such as LNK, HTA, and JS, while also limiting or closely monitoring the use of native Windows tools frequently abused in the infection chain, including mshta.exe, powershell.exe, and wscript.exe.

MITRE ATT&CK Context

Leveraging MITRE ATT&CK helps contextualize the latest UAC-0247 activity. Based on the reported TTPs, the most relevant techniques likely include Phishing: Spearphishing Link (T1566.002), Command and Scripting Interpreter, Process Injection (T1055), Web Protocols / WebSockets for C2, Credential Access, and Lateral Movement via tunneling and proxying tools. This mapping reflects the phishing lures, deceptive web delivery, LNK-to-HTA execution, shellcode injection, AGINGFLY deployment, and follow-on credential theft and internal reconnaissance.

The post UAC-0247 Attack Detection: AGINGFLY Malware Targets Hospitals, Local Governments, and FPV Operators in Ukraine appeared first on SOC Prime.

Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.

In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.

UAC-0247 Used Humanitarian Aid Lures as Entry Point

The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.

Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.

Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.

Also read: Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks

The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.

Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.

At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.

Persistent Access and Remote Control

To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:

• Command execution
• File exfiltration
• Screenshot capture
• Keylogging

Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.

Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.

Credential Theft and Lateral Movement

Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.

The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.

In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.

Military Targets Also in Scope

The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.

Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.

CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.

Threat actors impersonated CERT-UA to send phishing emails with AGEWHEEZE malware, tricking victims into installing a fake “security tool.”

A threat actor, tracked as UAC-0255, impersonated CERT-UA in a phishing campaign, sending emails to about 1 million users. The messages urged victims to download a password-protected archive from Files.fm and install a fake “specialized software,” which actually deployed the AGEWHEEZE remote access tool, giving attackers control over infected systems.

“The National Cyber ​​Incident, Cyber ​​Attack, and Cyber ​​Threat Response Team CERT-UA recorded cases of distribution of emails allegedly on behalf of CERT-UA on March 26-27, 2026, urging people to download a password-protected archive (“CERT_UA_protection_tool.zip”, “protection_tool.zip”) from the Files.fm service and install “specialized software”.” reads the advisory published by CERT-UA. “It was found that the executable file that was offered to be installed (internal package name: “/example.com/tvisor/agent”) is a multifunctional software tool for remote computer control, classified by CERT-UA as AGEWHEEZE.”

AGEWHEEZE supports command execution, file management, screen capture, input control, and process/service management. It ensures persistence via registry, startup, or scheduled tasks, installing itself in AppData paths. The malware communicates with its server via WebSockets and can also steal clipboard data, run commands, and control system actions.

The campaign targeted government organizations, medical centers, security companies, educational institutions, financial institutions, software development companies, and others.

The attackers created a fake website (cert-ua[.]tech) mimicking the real CERT-UA site to spread the fake “security tool” that is actually AGEWHEEZE malware. The tool allows remote control of infected systems. CERT-UA experts state that the command server is hosted on OVH infrastructure and includes a login page (“The Cult”) with Russian-language elements, suggesting the attackers’ origin or links.

The fake site cert-ua[.]tech includes links to a Telegram channel claiming responsibility for the attack, confirming attribution to UAC-0255.

The fake site was likely AI-generated and included references to “CYBER SERP,” a group active since late 2025, claiming responsibility. The group says it sent phishing emails to 1 million users and infected over 200,000 devices, though this is unverified.

The campaign had a limited impact, infecting only a few devices in educational institutions. CERT-UA experts helped contain it. The case shows how AI can make cyberattacks easier, and highlights the need to reduce attack surfaces and use security tools like AppLocker and system protections.

Authorities thanked Ukrainian telecom providers for supporting cyber defense efforts and sharing threat information. They also warned that AI is making attacks easier, urging organizations to reduce attack surfaces and strengthen security using system protections and dedicated tools.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Phishing remains one of the most effective tools in the cybercriminal arsenal, especially when threat actors abuse the credibility of trusted institutions and familiar digital services to increase victim interaction. In late March 2026, CERT-UA revealed a phishing campaign tracked as UAC-0255 in which attackers impersonated the agency and attempted to infect organizations across Ukraine’s public and private sectors with the AGEWHEEZE RAT.

Detect UAC-0255 Attacks Covered in CERT-UA#21075

Europol notes that phishing remains the main distribution vector for data-stealing malware, reflecting how email- and URL-driven social engineering remains central to malware delivery. The same pattern is visible across the phishing activity CERT-UA has been documenting against Ukraine throughout 2026. 

Earlier this year, CERT-UA reported a UAC-0190 campaign targeting the Ukrainian Armed Forces with the PLUGGYAPE backdoor, and later disclosed UAC-0252 activity in which emails impersonating central executive authorities and regional administrations lured victims into running SHADOWSNIFF and SALATSTEALER payloads. The latest UAC-0255 attack covered in CERT-UA#21075 alert fits the same broader trend, with threat actors now abusing CERT-UA’s own identity to make the lure more convincing and expand targeting across both public and private sector organizations. 

Register for the SOC Prime Platform to proactively detect UAC-0255 and similar attacks at the earliest stages possible. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with multiple SIEM, EDR, and Data Lake technologies.

Explore Detections

Security experts can also use the “CERT-UA#21075” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect adversary-related attacks, cyber defenders can search the Threat Detection Marketplace library using the “UAC-0255” tag.

Cybersecurity professionals can also rely on Uncoder AI to analyze threat intelligence in real time, generate Attack Flows, Sigma rules, simulations and validations, design detections in 56 languages, and create custom agentic workflows. Visit https://socprime.ai/ to learn more.

Analyzing UAC-0255 Attacks Impersonating CERT-UA to Deploy AGEWHEEZE

On March 26–27, 2026, CERT-UA identified a phishing campaign in which attackers impersonated the agency and urged recipients to download password-protected archives from the Files.fm service, including “CERT_UA_protection_tool.zip” and “protection_tool.zip.” The archives contained malicious content presented as specialized software to be installed by targeted organizations. 

Malicious emails were distributed broadly across Ukraine and targeted government organizations, medical centers, security firms, educational institutions, financial organizations, software development companies, and other entities, highlighting the campaign’s reach across both public and private sectors.

​​CERT-UA#21075 alert also details the discovery of the fraudulent website cert-ua[.]tech, which reused materials from the official cert.gov.ua website and included instructions for downloading the fake protection tool. This helped the attackers reinforce the legitimacy of the lure and increase the chances of user interaction by abusing trust in Ukraine’s Computer Emergency Response Team.

The executable offered for installation was determined to be a multifunctional remote access malware strain tracked by CERT-UA as AGEWHEEZE. AGEWHEEZE is a Go-based RAT that supports a broad set of remote administration capabilities. In addition to standard functions such as command execution and file management, the malware can stream screen content, emulate mouse and keyboard input, interact with the clipboard, manage processes and services, and open URLs on the compromised host.

The malware’s command-and-control infrastructure was hosted on the network of French provider OVH (AS16276). On port 8443/tcp, researchers observed a web page titled “The Cult” containing an authentication form, while the HTML source included russian-language strings noting about blocked access to the service. CERT-UA also found that the associated self-signed SSL certificate had been created on March 18, 2026, and that the Organization field contained the value “TVisor.”

During a review of the AI-generated cert-ua[.]tech website, CERT-UA found embedded references to the CyberSerp Telegram channel, including the phrase “With Love, CYBER SERP.” On March 28, 2026, the same Telegram channel publicly claimed responsibility for the attack, helping remove uncertainty around the technical attribution. Based on these findings, CERT-UA assigned the activity the identifier UAC-0255.

Despite the breadth of targeting, CERT-UA assessed the attack as unsuccessful. Investigators identified only several infected personal devices belonging to employees of educational institutions, and the response team provided the necessary practical and methodological assistance. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0255 phishing campaign impersonating CERT-UA. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0255 Attack Detection: Threat Actors Impersonate CERT-UA to Infect Ukrainian Public and Private Sector Organizations With AGEWHEEZE RAT appeared first on SOC Prime.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

Since January 2026, CERT-UA has been tracking a series of intrusions attributed to UAC-0252 and built around SHADOWSNIFF and SALATSTEALER infostealers. The campaigns rely on well-crafted phishing lures, payload staging on legitimate infrastructure, and user-driven execution of disguised EXE files.

Detect UAC-0252 Attacks Covered in CERT-UA#20032

According to the Phishing Trends Q2 2025 research by Check Point, phishing remains a core tool for cybercriminals, and the impersonation of widely trusted, high-usage brands continues to rise. Against the backdrop of more coordinated and sophisticated operations aimed at critical infrastructure and government organizations, CISA published its 2025–2026 International Strategic Plan to advance global risk reduction and improve collective resilience.

Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0252 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.

Explore Detections

Security experts can also use the “CERT-UA#20032” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect adversary-related attacks, cyber defenders can search the Threat Detection Marketplace library using the “UAC-0252” tag.

SOC Prime users can also rely on Uncoder AI to create detections from raw threat reports, document and optimize rule code, and generate Attack Flows in a couple of clicks. By leveraging threat intel from the latest CERT-UA alert, teams can easily convert IOCs into performance-optimized queries ready to hunt in the chosen SIEM or EDR environment.

Analyzing UAC-0252 Attacks Using SHADOWSNIFF and SALATSTEALER

Since January 2026, CERT-UA has been tracking repeated phishing campaigns targeting entities in Ukraine. The email messages are crafted to impersonate central government bodies or regional administrations and typically urge recipients to update mobile apps used in widely deployed civilian and military systems.

CERT-UA#20032 alert describes two common delivery paths. In the first one, the email includes an attached archive that contains an EXE file. The attacker relies on the recipient to open the archive and run the executable. In the second one, the email contains a link to a legitimate website that is vulnerable to cross-site scripting (XSS). When the victim visits the page, the injected JavaScript runs in the browser and downloads an executable file onto the computer. In both scenarios, CERT-UA notes that the EXE files and scripts are hosted on the legitimate GitHub service, which helps the activity blend into normal web traffic and makes basic domain blocking less effective in many environments.

During January and February 2026, CERT-UA confirmed that the activity used several malicious tools, including SHADOWSNIFF, SALATSTEALER, and DEAFTICK. 

SHADOWSNIFF was reported as being hosted on GitHub, while SALATSTEALER is commonly described as a Go-based infostealer that targets browser credentials, steals active sessions, and collects crypto-related data, operating under a Malware-as-a-Service (MaaS) model. In the same toolset, CERT-UA also reported DEAFTICK, a primitive backdoor written in Go that likely helps attackers maintain basic access on compromised hosts and support follow-on actions.

During repository analysis, CERT-UA reports discovering a program with characteristics of a ransomware encryptor, internally named «AVANGARD ULTIMATE v6.0». The same GitHub ecosystem also contained an archive with an exploit for WinRAR (CVE-2025-8088), a path traversal issue in Windows WinRAR that can enable arbitrary code execution via crafted archives and has been reported as exploited in the wild. This suggests the operators were not only stealing credentials, but also experimenting with additional tooling that could expand impact.

Based on the investigation details and the tooling overlaps, including experiments with publicly available instruments, CERT-UA links the described activity to individuals discussed in the «PalachPro» Telegram channel, while continuing to track the campaign under UAC-0252.

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0252 phishing campaigns targeting Ukrainian entities. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER Fuel Phishing Campaigns in Ukraine appeared first on SOC Prime.

Right after Microsoft disclosed an actively exploited Office zero-day (CVE-2026-21509) on January 26, 2026, CERT-UA reported UAC-0001 (APT28) leveraging the vulnerability in the wild. The russia-backed threat actor targeted organizations in Ukraine and the EU with malicious Office documents, and metadata shows one sample was created on January 27 at 07:43 UTC, illustrating the rapid weaponization of CVE-2026-21509.

Detect UAC-0001 aka APT28 Activity Based on the CERT-UA#19542 Alert

APT28 (UAC-0001) has a long record of conducting cyber operations aligned with russian state interests, with a persistent focus on Ukraine and its allied partners. Ukraine frequently serves as an initial testing environment for newly developed tactics, techniques, and procedures that are later scaled to broader international targets. 

The latest UAC-0001 campaign in the limelight follows the same pattern. According to CERT-UA#19542, UAC-0001 targeted Ukrainian state bodies with malicious Office documents exploiting CVE-2026-21509 to deploy the COVENANT framework. The same attack pattern was later observed against EU organizations, demonstrating rapid operational expansion beyond Ukraine.

Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0001 (APT28) attacks exploiting CVE-2026-21509. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.

Explore Detections

Security experts can also use the “CERT-UA#19542” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes.  For more rules to detect attacks related to the UAC-0001 adversary activity, security teams can search the Threat Detection Marketplace library leveraging the “UAC-0001” or “APT28” tags based on the group identifier, as well as the relevant “CVE-2026-21509” tag addressing the Microsoft Office zero-day exploitation.

Additionally, users can refer to a dedicated Active Threats item on the UAC-0001 (APT28) latest attacks to access the AI summary, related detection rules, simulations, and the attack flow in one place.

Security teams can also rely on Uncoder AI to create detections from raw threat reports, document and optimize code, and generate Attack Flows. Additionally, cyber defenders can easily convert IOCs from the latest CERT-UA#19542 alert into performance-optimized queries compatible with your security stack.

Analyzing UAC-0001 (APT28) Attacks Exploiting CVE-2026-21509

In late January 2026, CERT-UA observed a series of targeted cyber attacks attributed to UAC-0001 (APT28) that leveraged an actively exploited Microsoft Office vulnerability tracked as CVE-2026-21509. The malicious activity emerged shortly after Microsoft publicly disclosed the flaw and was initially directed at Ukrainian government entities before expanding to organizations across the European Union.

To establish initial access, attackers distributed specially crafted Microsoft Word documents exploiting CVE-2026-21509. One document, titled “Consultation_Topics_Ukraine(Final).doc,” referenced COREPER, the Committee of Permanent Representatives of the EU, which prepares decisions and coordinates policy among EU member states. Although the file became publicly accessible on January 29, metadata analysis showed it had been created on January 27 (one day after Microsoft’s advisory), indicating rapid weaponization of the vulnerability.

In parallel, CERT-UA received reports of phishing emails impersonating official correspondence from the Ukrainian Hydrometeorological Center. These messages, sent to more than 60 recipients primarily within central executive authorities of Ukraine, contained malicious DOC attachments. When opened in Microsoft Office, the documents established a network connection to an external resource over WebDAV and downloaded a shortcut file containing code designed to retrieve and launch an executable file.

Successful execution of the downloaded payload results in the creation of a malicious DLL file, EhStoreShell.dll, masquerading as the legitimate Enhanced Storage Shell Extension library, and an image file (SplashScreen.png) containing shellcode. The attack also modifies the Windows registry path for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}, implementing COM hijacking, and creates a scheduled task named OneDriveHealth.

Scheduled execution of the task causes the explorer.exe process to terminate and restart, which (due to the COM hijacking) ensures the loading of EhStoreShell.dll. The DLL executes shellcode from the image file, ultimately resulting in the launch of the COVENANT framework. Command-and-control communications for COVENANT relied on legitimate cloud storage infrastructure provided by Filen (filen.io).

Toward the end of January 2026, CERT-UA identified additional documents using the same exploit chain and delivery mechanisms in attacks against EU-based organizations. Technical overlaps in document structure, embedded URLs, and supporting infrastructure suggest these incidents were part of a coordinated UAC-0001 (APT28) campaign, demonstrating the rapid scaling of the operation beyond its initial Ukrainian targets.

Given the active exploitation of a Microsoft Office zero-day and the challenges many organizations face in promptly applying patches or mitigations, further abuse of CVE-2026-21509 is expected in the near term. 

To reduce the attack surface, organizations should implement the mitigation measures outlined in Microsoft’s advisory, including recommended Windows registry configurations. In addition, as UAC-0001 (APT28) leverages legitimate Filen cloud infrastructure for COVENANT command-and-control operations, network interactions with Filen-related domains and IP addresses should be restricted or placed under enhanced monitoring.

Additionally, security experts can rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of APT28 attacks while maintaining operational effectiveness. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0001 (APT28) attacks leveraging CVE-2026-21509 exploit to target Ukrainian and EU entities. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0001 (APT28) Attack Detection: russia-Backed Actor Actively Exploits CVE-2026-21509 Targeting Ukraine and the EU appeared first on SOC Prime.

On January 12, 2026, the CERT-UA team disclosed a targeted cyber-espionage campaign against the Ukrainian Armed Forces that abused charity-themed social engineering to deliver the PLUGGYAPE backdoor. The activity, observed between October and December 2025, is attributed with medium confidence to the russia-aligned threat actor known as Void Blizzard (Laundry Bear), tracked by CERT-UA as UAC-0190.

Detect UAC-0190 Attacks Leveraging PLUGGYAPE Malware Against Ukraine

As Ukraine approaches the fifth year of Russia’s full-scale invasion, the volume and intensity of offensive cyber campaigns targeting Ukraine and its allies remain exceptionally high. Security researchers estimate that approximately 40 Russia-aligned APT groups targeted Ukraine in the first half of 2023, with the number and sophistication of intrusions steadily increasing. In this latest case, the Armed Forces of Ukraine were targeted in a malicious campaign attributed to UAC-0190, which relied on the deployment of the PLUGGYAPE backdoor.

Register for SOC Prime Platform to keep abreast of the malicious activity linked to UAC-0190 and PLUGGYAPE. SOC Prime Team has recently released a curated set of detection rules addressing the ongoing group’s campaign against the defense and government sectors covered in the CERT-UA#19092 alert. Click the Explore Detections button to access relevant detections enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with dozens of SIEM, EDR, and Data Lake technologies.

Explore Detections

Security engineers can also use the “CERT-UA#19092” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes.  For more rules to detect attacks related to the UAC-0190 adversary activity, security teams can search the Threat Detection Marketplace library leveraging the “UAC-0190,” “Void Blizzard,” or “Laundry Bear” tags based on the group identifier, as well as relevant “Pluggyape.v2” tag addressing the offensive tools used by threat actors in the latest campaign.

Additionally, users can refer to a relevant Active Threats item to access the AI summary, related detection rules, simulations, and the attack flow in one place.

Security teams can also rely on Uncoder AI to create detections from raw threat reports, document and optimize code, and generate Attack Flows. By leveraging threat intel from the latest CERT-UA alert, teams can auto-convert IOCs into custom queries ready to hunt in the selected SIEM or EDR environment.

Analyzing UAC-0190 Malicious Activity Covered In CERT-UA#19092 Alert

Between October and December 2025, in coordination with the Cyber Incident Response Team of the Armed Forces of Ukraine, CERT-UA investigated a series of targeted cyberattacks against members of the Ukrainian Armed Forces. The activity was conducted under the guise of legitimate charitable organizations and relied on the deployment of the PLUGGYAPE backdoor.

To initiate the infection chain, adversaries contacted victims via popular messaging applications, like Signal and WhatsApp, encouraging them to visit a website impersonating a well-known charitable foundation. They were prompted to download so-called “documents,” which in reality were malicious executable files, most often distributed inside password-protected archives. In some cases, the executable was delivered directly through the messenger and commonly used the misleading extension “.docx.pif”. The PIF file was a PyInstaller-packaged executable, and the embedded payload was written in Python and identified as the PLUGGYAPE backdoor.

Notably, earlier iterations of the campaign, observed in October 2025, leveraged executables with the “.pdf.exe” extension. These files acted as loaders responsible for downloading a Python interpreter and an early version of PLUGGYAPE from public platforms such as Pastebin.

Starting December 2025, CERT-UA identified a significantly enhanced and obfuscated version of the malware, designated PLUGGYAPE.V2. This version introduced support for the MQTT protocol for command-and-control communications and implemented multiple anti-analysis and anti-virtualization checks aimed at evading detection and sandbox execution.

CERT-UA highlights the continued evolution of the cyber threat landscape, noting that initial access increasingly relies on trusted communication channels, including legitimate user accounts, Ukrainian mobile phone numbers, and the use of Ukrainian-language text, voice, and video communications. In many cases, attackers demonstrate detailed knowledge of the targeted individual or organization. As a result, widely used messaging platforms on mobile devices and workstations have become a primary malware delivery vector.

To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0190 malicious campaign against Ukraine. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0190 Attack Detection: Fake Charity Lures Used to Deploy the PLUGGYAPE Backdoor Against the Ukrainian Armed Forces appeared first on SOC Prime.