Ukrainian municipal authorities and healthcare institutions have come under a coordinated wave of cyberattacks that security officials say was designed to steal sensitive information from web browsers and WhatsApp accounts, widening concern over espionage operations aimed at essential public services during wartime.
The campaign, attributed by Ukraine’s Computer Emergency Response Team to threat cluster UAC-0247, struck local government bodies and municipal medical facilities, including clinical and emergency hospitals, over March and April. Investigators say the operation relied on phishing emails crafted to resemble correspondence about humanitarian aid proposals, a lure intended to exploit the pressure under which local administrations and medical services are operating.
The emails directed recipients to click on links leading either to counterfeit websites or to legitimate sites that had been compromised. Once a victim interacted with the material, attackers attempted to trigger a chain of malicious downloads that installed a set of tools used for persistence, reconnaissance, credential theft and movement across networks. Ukrainian officials and independent cyber reporting have described the malware set as including AGINGFLY, SILENTLOOP, ChromeElevator and ZapiXDesk, with supporting utilities such as RustScan, Ligolo-Ng and Chisel appearing in parts of the campaign.
CERT-UA’s assessment indicates that AGINGFLY served as the main remote access tool. Written in C#, it enabled operators to control an infected machine, execute commands, take screenshots, log keystrokes, download files and run further payloads. SILENTLOOP, a PowerShell-based component, appears to have been used to manage commands and help the attackers maintain contact with their control infrastructure. Security researchers said one notable feature of the operation was the use of Telegram as part of the mechanism for obtaining current command-and-control server information, a tactic that can help attackers shift infrastructure quickly and complicate blocking efforts.
Another key part of the campaign involved harvesting credentials and data from Chromium-based browsers. That is significant because browsers have become repositories for passwords, cookies, session tokens and stored authentication data that can give intruders access to email, internal portals and cloud services. ChromeElevator, according to the reporting around the incident, was used to bypass protections in Chromium-based software and retrieve saved data. ZapiXDesk was used to extract or decrypt local information connected to WhatsApp, adding a communications surveillance layer to the attacks.
That combination points to a campaign with broader goals than simple disruption. By targeting browsers and messaging platforms, the operators could gain access not only to standalone files but also to ongoing communications, service accounts and administrative systems. In hospitals and ambulance services, such access can expose patient-related information, staffing data, operational messaging and procurement details. In local administrations, the same methods can open paths to civic records, internal correspondence and networks connected to regional services.
Investigators have also reported evidence of lateral movement and network tunnelling, suggesting the attackers were interested in expanding beyond the initial compromised device. Tools such as RustScan help map internal systems, while Ligolo-Ng and Chisel can create tunnels that allow operators to move traffic covertly through infected environments. In at least one case, analysts said XMRig, a cryptocurrency mining tool, was detected, raising the possibility that parts of the compromised infrastructure were also used to generate digital currency. Even so, the main thrust of the campaign appears to have been intelligence collection rather than financial extortion.
The incident fits a broader pattern in which Ukraine’s civilian institutions remain frequent cyber targets alongside military, law-enforcement and logistics entities. Hospitals, municipal offices and emergency services are attractive because they often face acute operational pressure, rely on ageing systems and cannot easily suspend activity while investigating a suspected breach. Attackers exploiting humanitarian themes in phishing messages also gain an added advantage: the subject matter is plausible, urgent and difficult for frontline officials to dismiss outright.
CERT-UA has also indicated that representatives of the Defence Forces may have been approached through related tactics. Reporting on the campaign said malicious archives were distributed through Signal under the guise of software updates or tools for drone operators, showing that the same threat cluster or associated operators may be testing different entry points across civilian and defence-linked environments.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.