UAC-0247 Weaponizes Malicious Lures to Harvest Browser and WhatsApp Data from Critical Sectors
A newly identified campaign by the threat actor UAC-0247 is targeting healthcare facilities and government agencies, utilizing "urgent" document lures to deploy info-stealing malware.
KYIV, UKRAINE — A persistent cyber-espionage campaign attributed to the threat group UAC-0247 has significantly expanded its operations, targeting Ukrainian hospitals, medical clinics, and government bodies. According to reports from CERT-UA and The Hacker News, the group is utilizing a refined infection chain to exfiltrate highly sensitive data, specifically targeting web browser credentials and WhatsApp desktop communication history.
The campaign highlights a dangerous intersection between intelligence gathering and the disruption of critical public services. By targeting healthcare providers during a period of heightened regional tension, UAC-0247 is potentially gaining access to sensitive patient records and official communications.
The Infection Chain: From Phishing to Exfiltration
The campaign typically begins with a phishing email or message containing a link to a password-protected archive. The lures are often disguised as urgent administrative or medical documents.
Once the user executes the file within the archive, a multi-stage process begins:
- Loader Deployment: The initial payload drops a loader that establishes persistence on the victim’s machine.
- Data Harvesting: The malware specifically targets local databases for popular web browsers (Chrome, Edge, Firefox) to steal saved passwords and session cookies.
- WhatsApp Targeting: In a more specialized move, the malware targets the local storage files of the WhatsApp Desktop application, allowing attackers to reconstruct private conversations and contact lists.
- C2 Communication: The stolen data is compressed and sent to an attacker-controlled Command and Control (C2) server, often hosted on legitimate but compromised infrastructure to evade detection.
A Pattern of Institutional Compromise
The targeting of hospitals is particularly alarming. Security researchers at Security Affairs noted that the group appears to be prioritizing organizations with high "Identity Value" — those where a single set of stolen credentials could grant access to broader government or health networks.
"UAC-0247 is not just looking for data; they are looking for the context of institutional decision-making," noted analysts from SOC Defenders. The theft of WhatsApp data suggests a focus on bypassing traditional email monitoring to capture real-time, informal communications.
The CyberSignal Analysis
Signal 01 — The "Personalized" Corporate Perimeter
Attackers are realizing that the most valuable data often lives in "shadow" channels like WhatsApp Desktop. While an organization might have world-class email security, the local files of a desktop messaging app are often left unmonitored. This campaign signals that digital identity now includes our chat history. For B2B organizations, the "Signal" is that endpoint protection must extend beyond the browser to include communication software.
Signal 02 — Healthcare as a Strategic Intelligence Asset
This isn't a simple ransomware play; it’s an intelligence operation. In our previous coverage of digital extortion, we noted that data is often held for leverage. However, in the case of UAC-0247, the data is the end goal. Hospitals are being treated as soft targets to reach harder government targets. If you are in healthcare, you are no longer just a "clinic" — you are a gateway to the national infrastructure.
Signal 03 — The "Patching Gap" in Critical Sectors
Much like the NIST NVD overhaul discussed earlier, the volume of threats is outpacing institutional defense. Healthcare and government agencies often suffer from the longest "patching gaps." UAC-0247 exploits this by using well-known, albeit refined, info-stealing techniques that rely on users making a single mistake under pressure.
