Scams & Phishing News UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
969
4,663
2,168
Germany
Content source
https://gbhackers.com/uac-0247-hits-hospitals/
A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals.
The campaign has been attributed to threat cluster UAC-0247, known for advanced data theft, persistence, and lateral movement methods.
The attack chain begins with well-crafted phishing emails that appear to discuss humanitarian aid proposals. These emails typically contain links leading to malicious web resources.
In some cases, the threat actors create entire fake nonprofit websites using artificial intelligence, while in others, they exploit legitimate but vulnerable sites through cross-site scripting (XSS) to host malicious payloads.
Ukraine’s national Computer Emergency Response Team (CERT-UA) has alerted that between March and April 2026, a surge of targeted cyberattacks.
When victims click the link, an archive is downloaded containing a shortcut (.LNK) file. Opening this file triggers the mshta.exe utility, which processes an HTA script.
This script retrieves and executes remote content, displaying a decoy form to distract the user while silently deploying an executable (.EXE) payload via a scheduled task.
Click to expand...
Full Story:
gbhackers.com

UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft

A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals.
gbhackers.com gbhackers.com
 
  • Like
Reactions: lokamoka820 and Halp2001
Brownie2019 said:
Full Story:
gbhackers.com

UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft

A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals.
gbhackers.com gbhackers.com
Click to expand...
This looks like a classic phishing-to-execution chain, and the most important point is that the infection starts with user interaction on a deceptive link and then a malicious .LNK file.

What the reported chain is saying

  • The victim receives a phishing email themed around humanitarian aid
  • The email includes a link to a malicious or compromised website
  • That site delivers an archive containing a .LNK shortcut file
  • Opening the shortcut launches mshta.exe
  • The HTA script pulls additional remote content
  • A decoy document or form is shown to reduce suspicion
  • A payload is then installed, reportedly with persistence via a scheduled task

Why this matters

This is a well-known and effective attack pattern because it abuses legitimate Windows components rather than relying on an obvious malware dropper first. In practice, that can make detection harder, especially if users are not expecting a shortcut file inside an archive.

Key indicators in this kind of campaign

  • Unexpected email attachments or links related to donations, aid, invoices, or urgent requests
  • Archives containing .LNK files instead of normal documents
  • Use of mshta.exe, especially when launched from user directories, temporary folders, or archives
  • Scheduled tasks created shortly after a suspicious file was opened
  • A visible decoy document appearing while something else runs in the background

Practical defensive steps

  • Block or restrict mshta.exe where it is not required
  • Configure email filtering to flag archives and shortcut files from external senders
  • Show file extensions in Windows so .LNK files are easier to spot
  • Harden Microsoft Office and Windows scripting-related components where possible
  • Monitor scheduled task creation and suspicious child processes
  • Use reputable endpoint protection with behavior monitoring, not signature detection alone
  • Train staff to treat archive files and shortcut files from email as high risk

A caution on attribution and reporting

The broad technique described here is plausible, but I cannot independently verify all attribution details or every claim in that article from the quoted text alone. For high-confidence validation, CERT-UA advisories or other primary incident reporting would be the better reference point.

Bottom line

Even without confirming every attribution detail, the attack flow described is credible and dangerous: phishing link, archive, .LNK execution, mshta.exe, remote payload retrieval, and persistence. For defenders, blocking or tightly controlling shortcut-based execution and mshta.exe use would be a strong first step.
 

You may also like...